eventlog_creds Module

[lodos2005]

I have added a new module that extracts user credentials from Windows event logs. The main focus is on monitoring logs, such as Sysmon or Windows Security logs Event ID 4688. If computers are monitored using Windows Event Forwarding (WEF) or SIEM solutions, executed commands and their arguments can be stored in the event log. I designed this module to find credentials in those logs and extract them.

[NeffIsBack]

Thanks for the PR :)

[Dfte]

Hey dude!

Really nice PR! Is there a way you can retrieve the event log files without running additional execute() operation ?

[lodos2005]

Hey dude!

Really nice PR! Is there a way you can retrieve the event log files without running additional execute() operation ?

Hm, maybe we use even/even6, i will look that.

[lodos2005]

well, i added rpc method also. rpc call is a bit slower on large logs but I think it is more stealth.


I don't know which one should be the default.

[Dfte]

Amazing!!! To be honest I'd rather have RPC being the default one as it will improve stealthness and allow attacker to dump credentials without rising alerts because of the execute :)

[NeffIsBack]

@lodos2005 how do you enable the event tracking? Tried enabling "Administrative Templates\System\Audit Process Creation\Include command line in process creation events" (see here), but i don't see any 4688 events in the logs.

[lodos2005]

@NeffIsBack Can you try with template
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation
Or cmdline
AuditPol /set /subcategory:"Process Creation" /success:enable

also i found reg key
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

[NeffIsBack]

@NeffIsBack Can you try with template Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation Or cmdline AuditPol /set /subcategory:"Process Creation" /success:enable

also i found reg key reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

Awesome, that worked. So for others reading this, both of the following options must be configured:

• Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation must be set to "Success"
• Administrative Templates\System\Audit Process Creation\Include command line in process creation events must be set to "Enabled"

[NeffIsBack]

LGTM, thanks for the PR!

[lodos2005]

Awesome 💙

[dadevel]

@lodos2005 I want to contribute a PR that connects to the EVEN6 RPC interface over SMB \PIPE\eventlog instead of the high TCP port, but over SMB EvtRpcRegisterLogQuery() fails with rpc_s_access_denied while it works fine over TCP. Do you have any idea why?

[NeffIsBack]

Can you post the code? That could probably help identifying the problem

[dadevel]

@NeffIsBack yes, I built a standalone reproducer: https://gist.github.com/dadevel/d4e8906424278f65d0cf8b9bf3aea906

[NeffIsBack]

@NeffIsBack yes, I built a standalone reproducer: https://gist.github.com/dadevel/d4e8906424278f65d0cf8b9bf3aea906

Looks indeed like a privilege issue on your side. Your script works flawlessly with the domain admin in my lab:

[dadevel]

Thanks for testing! Can you try with --protocol smb? The script uses RPC over TCP by default (I probably should've changed that).

[NeffIsBack]

Hmm nope, no luck:

Neither with your implementation, nor with the one out of coerce_plus (which does practically the same thing, but wanted to check if there was bug or anything else)

[dadevel]

Windows is weird. At least I know now that it wasn't me :D
Thank you again for helping out.