From 612cde1cf3287f1f2f66b0f33095b6b4326e75c7 Mon Sep 17 00:00:00 2001 From: Joshua Wright Date: Mon, 6 May 2019 14:34:31 -0400 Subject: [PATCH] Disable Metasploit psexec detect due to false-positive conflict with MS Exchange; revise alert for _Multiple admin logons for one account_ to show attempt count instead of unique event IDs --- DeepBlue.ps1 | 37 ++++++++++++------------ evtx/metasploit-psexec-pwshpayload.evtx | Bin 0 -> 69632 bytes 2 files changed, 19 insertions(+), 18 deletions(-) create mode 100755 evtx/metasploit-psexec-pwshpayload.evtx diff --git a/DeepBlue.ps1 b/DeepBlue.ps1 index 93ab3bb..2fb6234 100644 --- a/DeepBlue.ps1 +++ b/DeepBlue.ps1 @@ -158,23 +158,24 @@ function Main { Write-Output($obj) } # This unique privilege list is used by Metasploit exploit/windows/smb/psexec (v5.0.4 tested) - If ($privileges -Match "SeSecurityPrivilege" ` - -And $privileges -Match "SeBackupPrivilege" ` - -And $privileges -Match "SeRestorePrivilege" ` - -And $privileges -Match "SeTakeOwnershipPrivilege" ` - -And $privileges -Match "SeDebugPrivilege" ` - -And $privileges -Match "SeSystemEnvironmentPrivilege" ` - -And $privileges -Match "SeLoadDriverPrivilege" ` - -And $privileges -Match "SeImpersonatePrivilege" ` - -And $privileges -Match "SeDelegateSessionUserImpersonatePrivilege") { - $obj.Message = "Metasploit psexec Privilege Use" - $obj.Results = "Username: $username`n" - $obj.Results += "Domain: $domain`n" - $obj.Results += "User SID: $securityid`n" - $pprivileges = $privileges -replace "`n",", " -replace "\s+"," " - $obj.Results += "Privileges: $pprivileges" - Write-Output($obj) - } +# # Disabling due to false-positive with MS Exchange Server +# If ($privileges -Match "SeSecurityPrivilege" ` +# -And $privileges -Match "SeBackupPrivilege" ` +# -And $privileges -Match "SeRestorePrivilege" ` +# -And $privileges -Match "SeTakeOwnershipPrivilege" ` +# -And $privileges -Match "SeDebugPrivilege" ` +# -And $privileges -Match "SeSystemEnvironmentPrivilege" ` +# -And $privileges -Match "SeLoadDriverPrivilege" ` +# -And $privileges -Match "SeImpersonatePrivilege" ` +# -And $privileges -Match "SeDelegateSessionUserImpersonatePrivilege") { +# $obj.Message = "Metasploit psexec Privilege Use" +# $obj.Results = "Username: $username`n" +# $obj.Results += "Domain: $domain`n" +# $obj.Results += "User SID: $securityid`n" +# $pprivileges = $privileges -replace "`n",", " -replace "\s+"," " +# $obj.Results += "Privileges: $pprivileges" +# Write-Output($obj) +# } } ElseIf ($event.id -eq 4720){ # A user account was created. @@ -471,7 +472,7 @@ function Main { if($multipleadminlogons.$username){ $obj.Message="Multiple admin logons for one account" $obj.Results= "Username: $username`n" - $obj.Results += "User SIDs: $securityid" + $obj.Results += "User SID Access Count: " + $securityid.split().Count Write-Output $obj } } diff --git a/evtx/metasploit-psexec-pwshpayload.evtx b/evtx/metasploit-psexec-pwshpayload.evtx new file mode 100755 index 0000000000000000000000000000000000000000..bfc44dc9bf0824ef2c0e351f3ab0ef0c42a2b018 GIT binary patch literal 69632 zcmeI1eQcdo9mjw7>Fw?9%e`$^3S$Ut;DCWGTSv!UoUZf*mW^(*@*=57q1`&xwX^G9 z$Ur7Se2I`nfe>B<4H{yMCK_HvNf`QvMj;x&8DhWy(TGMg21HH$e$P42y|qdTz2_o*`6%ij+o|D_L^EnQ@GL-#M9 z48@N6#`d2-GSL<{aB{WTy*P9j&zbGUeK-~*6u1ldYjF%QUAi6h%hMmTX1(e1+^O%! zRr&XOLx1~1`PCtxUr#{ZYaxF*+GKhX?{7u^c|n<610{8rgoBg|QT8&(xVmgyy*0j# z4H(~C(%N~x)M=sbnd;O9Sy`t21Yh#MCr+(#=9y+^pjF?Zk&*bd~ALzzNSgK=kaupsqK&Hp*Dy`f0+K`Rf1m3@ZD|1cw z_(XlB?YEsaf{(lLp)%EO!zeakyKJ?cjlbP?HFAbfW&qEvxNk?!xQ*d$%(kLrE8fSD zf41$zw^7{NY$^WE!P8P(iT^`|?srdli&B%5SC!1$SYO7r*tKYR!u4ntVK7G^S3IL{ z9LU;c*ZW@dHHcE<`1&xeo>&<-+@7{x2)h#>IiLl0;X6cbu}ht(gAjZlx@##RG=jWs zmibE1p(V{}JKy%W-q_q}b^xQk+E!RQ`sd$DR3F6q5b|3v>Q#7d!_!Jzj{J5!@mo9U zY{h*Q?nAZ=&H$!tI~v@M z#>O!MvwYezQNF@5=~S(qf{b{j&9APqOG2^j7~CknMfqAwr=epf;U!*TgTJb@jVMT6 z8F7V-g(8EQv3no@Q}=kz(8mpl!H=|N)kiPl%TI+Ph zD94DCB*xm0ay>r_Lf5=eV;yL50)kUpCoodqZobOuGk-xbPJ8=L8;xE2mN=$qD$TR{ z3dph(eZ)rW(TA!rfc;MJJ+31^y%$i9URXNHQu9J}SToeT-S`VqWG$PaY3J15yebRA z!+~uKAYX0SiqzyJy#k#9)90b0ohUf~MH+Q-V}2`BS#T%6J!ry@HI0g^QQ>)1Xxq5(q1OPhS{{c6nTqif+a(2HmwFbhJ z+IZUbQBhhTMJ$98{gPyrk;Ou>=c{qsxXgmZ35*T<0zpBvA5?XnfSj@&qMR@dlX zV-0GwKj4vZ0{utOjrZICUk(u%x6#uxB%-HhNag%_9tfQ$&ezlURoHR(LZeAda6WO0 z*JJ2LuUGJH%%FFR^1+iagXXT_x0pe{Rq#;Epoc2>AqqqD<+`Mwi9HERGAb^335riI z;l!uqE!g>d&f9L5pzU@gXrJ@34fd9{0oKG@+9==PRd69PsJpY+Nw!Ek>7~R&-r2o; zBP^QhZYG1)VD-+JB^k6HC@{Z696M662;HQYtz&OU3lGN8>B|p4`0>M-$rB#o{khae z%;-(Hu80lWTw<_t2hswsz;!`)!Uej`7T^NwK%$x^Tk{dnZ=hNdW#hgVs8Z*>i9_r5^ z^;C-%3n_eHLvOPU*G9||ZCR9q?}Q!13UGF?4yqH|!Pm*29};Zg z>mWG+XD|``f3hWfb6~!!&bcq2e{Kz?%9O*3s&;=Ydmc>v)wTm#wJSmXsbv|HaWo7F zhh{C!ka!2mZ9*{1sE9H7Fl3p%pDvWX3KDIbwU5%RQ8#*FP|1zhsEdoKxU-F)^E-eQ z)fG5V&e`g$N9()7h}f5pyl1P$QF*=a8Rr;n85)iKw$-GqC8N57Yam4mLh^wr<@ z{J6M3j{P1D)O%s^{!vAXXUiH27BBX*(^}`rYCIz2SF5_z_+T7CG<+i%Y+iLd4UKwhHUaP~-fUCC;n^3Oi zD2K>{<4csX*f!Vs7;L6ry~QzBdnwn4-qsX*JKlNi30ObxOnF>H8{k*|W<1jZ4>;<@ z_OOehG>QK4QfGsAIBQ&NsaUtx*PUhL@gYu>tFwCcwKm9pc2V{w@EM0}JPhMO7dJ`V zk<)sOJA3O%M7i7yv$PR)ryC~%TK1hNt3M3k2@GQ$5{z>7ewGr;Pn{d?L84rPHL(4b zFgCY2_Hjn7v-C-G**Jqt>!B?jXn7Fh_c{>e=K1oB2B>M=(gaP*U?)V6N1w?!pvjk{ zcCaL+3MJ>ER6EC*eUCA6TC3vk1^awG2+<%6*Ub}3|l%sw8V%kv^0OlmXcTcalW-gOMD5&M27yP zk0(Mrnxb6fI)4T#Q*8v}X2vChB{slo%JDPAcHPc*?{({zb^FjaTNy>)3($AknHTIZ zu>DNAi+fz|c}rtGZYQ{H$cFfj+X$BDzSwUyn%z6}$(3Q)tjejFZRhvH6yu=OvIT`WD2}_h)4LAWl^?`T?{mEmen0*ph0k{kFW&N- zQ~vYWFa7O-o-?5_A?`T|k8#{Ht6z;*eOc6#xJpacT3oMaEqDS2Ymw+-OKT=u2dn_r zo>ktWulDOY?Aa1MMzL%$4#3n;vsa^1ym#vh`a^xC-fo7{`aK}^&nLfipR3-^^~7RL z1@+ce{G_0_@j6M0->Js~AA}yapLpo{_=i9~ANpA9MV0G1pE>kmbA~_n1wCGX$5@Y# zLLae!--SK~ZBEpyQf-dcO*BLNJky~sPaRz3ofr!y*DS6%o;+aH9Q9dAh}{$EPVKw6 zmi)TQcz>EGbtgROi1Vp_zg>*NeBCM^wIxbDecj@yu}-mu;S~yJ&h*9QXVCPeE8t7# za^5`My61WIOyB0xc6^rodRUa5_^G+S>=)U7_}k(S!OP)4`{A2+A_{6n9Kv6`kZ4Dg zL_h>YKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKm?Kr{13MN_3i)w literal 0 HcmV?d00001