NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

eventlog_creds Module

Open lodos2005 opened this issue 1 year ago • 5 comments

Screenshot 2024-10-14 at 01 03 53 Screenshot 2024-10-14 at 01 03 20

I have added a new module that extracts user credentials from Windows event logs. The main focus is on monitoring logs, such as Sysmon or Windows Security logs Event ID 4688. If computers are monitored using Windows Event Forwarding (WEF) or SIEM solutions, executed commands and their arguments can be stored in the event log. I designed this module to find credentials in those logs and extract them.

lodos2005 avatar Oct 13 '24 22:10 lodos2005

Thanks for the PR :)

NeffIsBack avatar Oct 14 '24 06:10 NeffIsBack

Hey dude!

Really nice PR! Is there a way you can retrieve the event log files without running additional execute() operation ?

Dfte avatar Oct 14 '24 08:10 Dfte

Hey dude!

Really nice PR! Is there a way you can retrieve the event log files without running additional execute() operation ?

Hm, maybe we use even/even6, i will look that.

lodos2005 avatar Oct 14 '24 09:10 lodos2005

well, i added rpc method also. rpc call is a bit slower on large logs but I think it is more stealth. Screenshot 2024-10-15 at 01 18 52 Screenshot 2024-10-15 at 01 18 08 I don't know which one should be the default.

lodos2005 avatar Oct 14 '24 22:10 lodos2005

Amazing!!! To be honest I'd rather have RPC being the default one as it will improve stealthness and allow attacker to dump credentials without rising alerts because of the execute :)

Dfte avatar Oct 15 '24 07:10 Dfte

@lodos2005 how do you enable the event tracking? Tried enabling "Administrative Templates\System\Audit Process Creation\Include command line in process creation events" (see here), but i don't see any 4688 events in the logs.

NeffIsBack avatar Apr 27 '25 19:04 NeffIsBack

@NeffIsBack Can you try with template Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation Or cmdline AuditPol /set /subcategory:"Process Creation" /success:enable

also i found reg key reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

lodos2005 avatar May 03 '25 09:05 lodos2005

@NeffIsBack Can you try with template Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation Or cmdline AuditPol /set /subcategory:"Process Creation" /success:enable

also i found reg key reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

Awesome, that worked. So for others reading this, both of the following options must be configured:

  • Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation must be set to "Success"
  • Administrative Templates\System\Audit Process Creation\Include command line in process creation events must be set to "Enabled"

NeffIsBack avatar May 15 '25 15:05 NeffIsBack

Awesome 💙

lodos2005 avatar May 16 '25 05:05 lodos2005

@lodos2005 I want to contribute a PR that connects to the EVEN6 RPC interface over SMB \PIPE\eventlog instead of the high TCP port, but over SMB EvtRpcRegisterLogQuery() fails with rpc_s_access_denied while it works fine over TCP. Do you have any idea why?

dadevel avatar May 18 '25 21:05 dadevel

Can you post the code? That could probably help identifying the problem

NeffIsBack avatar May 19 '25 10:05 NeffIsBack

@NeffIsBack yes, I built a standalone reproducer: https://gist.github.com/dadevel/d4e8906424278f65d0cf8b9bf3aea906

dadevel avatar May 19 '25 14:05 dadevel

@NeffIsBack yes, I built a standalone reproducer: https://gist.github.com/dadevel/d4e8906424278f65d0cf8b9bf3aea906

Looks indeed like a privilege issue on your side. Your script works flawlessly with the domain admin in my lab: image

NeffIsBack avatar May 19 '25 21:05 NeffIsBack

Thanks for testing! Can you try with --protocol smb? The script uses RPC over TCP by default (I probably should've changed that).

dadevel avatar May 20 '25 05:05 dadevel

Hmm nope, no luck: image

Neither with your implementation, nor with the one out of coerce_plus (which does practically the same thing, but wanted to check if there was bug or anything else)

NeffIsBack avatar May 20 '25 22:05 NeffIsBack

Windows is weird. At least I know now that it wasn't me :D Thank you again for helping out.

dadevel avatar May 21 '25 05:05 dadevel