In this blog post, I will use the PowerShell module DeepBlueCLI to quickly discover suspicious account and command line behavior by parsing some sample evtx files1 from DeepBlueCLI GitHub page. This blog post is heavily inspired by the 16-hour seminar “SOC Core Skills” by John Strand (Black Hills Information Security).
New user is created and immediately added to the local Administrators group
In this section, we will analyze new-user-security.evtx with DeepBlueCLI. In the output, we see that a new user with username “IEUser” was created at 10:22:39 AM and then added to the local Administrators group at 10:22:40 AM, that is, one second after creation. This is suspicious as threat actors often create new users in order to gain a level of persistence in the network that they would not otherwise gain with malware.
In this section, we will analyze password-spray.evtx with DeepBlueCLI. Password spray attacks are those attacks where a threat actor targets a list of usernames on a domain and sprays them with the same password, like Winter2020. This attack is often successful because many companies do not implement a strong password policy. Moreover, such technique doesn’t often get picked up because accounts don’t get locked out, as the attacker keeps the attempted logon count below the lockout threshold defined in the lockout policy. In this instance, we see that DeepBlueCLI detects the attack and summarizes it for humans to read. Concretely, we see that a password spray attack was launched by user jwrig from machine DESKTOP-JR78RLP. Moreover, we see a list of the target usernames as well.
In this section, we will analyze smb-password-guessing-security.evtx with DeepBlueCLI. Password guessing attacks are those where the threat actor tries to login as a single user by trying out different passwords. In this instance, DeepBlueCLI detects such an attack against the Administrator account. The DeepBlueCLI summary shows that 3560 login attempts were made for this account.
Suspicious command line (attack with obfuscation)
In this last section, we will analyze Powershell-Invoke-Obfuscation-encoding-menu.evtx with DeepBlueCLI. This file contains logs of commands run from Powershell that are suspicious because they contain a lot of not common symbols. Attackers often use a number of encoding techniques to bypass signature detection2. Concretely, this means that threat actors rewrite malicious commands using not common symbols. For example, they could build the commands a character at a time, like in the screenshot below. Fortunately, this kind of activity often gets logged by Windows Defender because non-malicious scripts do not use so many uncommon characters. As you can see below, DeepBlueCLI runs a statistic on this specific command line invocation and shows that only 58% alphanumeric and common symbols were used in this example, thus indicating malicious activity.
All in all, DeepBlueCLI enables fast discovery of specific events detected in Windows Security. In this post, we only looked at detections of suspicious account and command line activities. However, DeepBlueCLI can do much more. Check out its page on GitHub!
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!