21. 21
The Pwnie Express
index=wls EventID=4688
(CommandLine="*cscript*" OR CommandLine="*wscript*" OR
CommandLine="*powershell*")
(CreatorProcessName="WINWORD" OR
CreatorProcessName="POWERPNT" OR
CreatorProcessName="EXCEL" OR
CreatorProcessName="Adobe*")
| table _time, host, SubjectUserName,
CreatorProcessName, BaseFileName, CommandLine
‘Cause They Are Carrier Files!
35. 35
Enumerated PowerSploit Modules
index=wls* EventID=4688 (BaseFileName=powershell.exe OR BaseFileName=cmd.exe)
(CommandLine="*powersploit*" OR CommandLine="*Invoke-DllInjection*" OR
CommandLine="*Invoke-ReflectivePEInjection*" OR CommandLine="*Invoke-Shellcode*" OR
CommandLine="*Invoke-WmiCommand*" OR CommandLine="*Out-EncodedCommand*" OR
CommandLine="*Out-CompressedDll*" OR CommandLine="*Out-EncryptedScript*" OR
CommandLine="*Remove-Comments*" OR CommandLine="*New-UserPersistenceOption*" OR
CommandLine="*New-ElevatedPersistenceOption*" OR CommandLine="*Add-Persistence*" OR
CommandLine="*Install-SSP*" OR CommandLine="*Get-SecurityPackages*" OR
CommandLine="*Find-AVSignature*" OR CommandLine="*Invoke-TokenManipulation*" OR
CommandLine="*Invoke-CredentialInjection*" OR CommandLine="*Invoke-NinjaCopy*" OR
CommandLine="*Invoke-Mimikatz*" OR CommandLine="*Get-Keystrokes*" OR
CommandLine="*Get-GPPPassword*" OR CommandLine="*Get-TimedScreenshot*" OR
CommandLine="*New-VolumeShadowCopy*" OR CommandLine="*Get-VolumeShadowCopy*" OR
CommandLine="*Mount-VolumeShadowCopy*" OR CommandLine="*Remove-VolumeShadowCopy*" OR
CommandLine="*Get-VaultCredential*" OR CommandLine="*Out-Minidump*" OR
CommandLine="*Set-MasterBootRecord*" OR CommandLine="*Set-CriticalProcess*" OR
CommandLine="*PowerUp*" OR CommandLine="*Invoke-Portscan*" OR CommandLine="*Get-
HttpStatus*" OR CommandLine="*Invoke-ReverseDnsLookup*" OR CommandLine="*PowerView*")
| table …
41. 41
Resources
• Windows Logging Service (WLS) Home Page
– By Jason McCord (@digira;82)
– hups://digira;82.com/wls-informa;on/
• “Know your Windows Processes or Die Trying”
– Ar;cle by Patrick Olsen, 2014/01/18
– hup://sysforensics.org/2014/01/know-your-windows-processes/
• Bechtel Splunk Live! Santa Clara 2015 Preso
– hup://www.slideshare.net/Splunk/bechtel-customer-presenta;on
Keep Hun;n’!