This artifact enables querying for explicit logon events. i.e Event ID 4648: A logon was attempted using explicit credentials.
If logging is enabled, these events are generated on the source machine when an authentication attempt occurs under a different user context. Examples include a user authenticating to another machine using wmic or mapping a drive using different credentials, or using the RunAs option locally.
This artifact by default filters all events with localhost as the server and MACHINE$ as target user. A recommended hunt for lateral movement would be activity to other machines from commonly abused lolbins or explicit logon events from unusual processes.
name: Windows.EventLogs.ExplicitLogon
description: |
This artifact enables querying for explicit logon events. i.e Event ID 4648:
A logon was attempted using explicit credentials.
If logging is enabled, these events are generated on the source machine when
an authentication attempt occurs under a different user context. Examples
include a user authenticating to another machine using wmic or mapping a
drive using different credentials, or using the RunAs option locally.
This artifact by default filters all events with localhost as the server and
MACHINE$ as target user. A recommended hunt for lateral movement would be
activity to other machines from commonly abused lolbins or explicit logon
events from unusual processes.
author: Matt Green - @mgreen27
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: EvtxGlob
default: '%SystemRoot%\System32\Winevt\Logs\Security.evtx'
- name: UsernameRegex
description: "Target username Regex"
default: .
type: regex
- name: UsernameWhitelist
description: "Target username witelist Regex"
default: '\\$$'
type: regex
- name: ServerRegex
description: "Target server regex"
default: .
type: regex
- name: ServerWhitelist
description: "Target server whitelist regex"
default: 'localhost'
type: regex
- name: ProcessNameRegex
description: "Target process Regex"
default: .
- name: ProcessNameWhitelist
description: "Target process whitelist Regex"
type: regex
- name: VSSAnalysisAge
type: int
default: 0
description: |
If larger than zero we analyze VSS within this many days
ago. (e.g 7 will analyze all VSS within the last week). Note
that when using VSS analysis we have to use the ntfs accessor
for everything which will be much slower.
- name: DateAfter
type: timestamp
description: "search for events after this date. YYYY-MM-DDTmm:hh:ssZ"
- name: DateBefore
type: timestamp
description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"
sources:
- query: |
LET VSS_MAX_AGE_DAYS <= VSSAnalysisAge
LET Accessor = if(condition=VSSAnalysisAge > 0, then="ntfs_vss", else="auto")
-- firstly set timebounds for performance
LET DateAfterTime <= if(condition=DateAfter,
then=timestamp(epoch=DateAfter), else=timestamp(epoch="1600-01-01"))
LET DateBeforeTime <= if(condition=DateBefore,
then=timestamp(epoch=DateBefore), else=timestamp(epoch="2200-01-01"))
-- expand provided glob into a list of paths on the file system (fs)
LET fspaths = SELECT OSPath
FROM glob(globs=expand(path=EvtxGlob), accessor=Accessor)
-- function returning IOC hits
LET evtxsearch(PathList) = SELECT * FROM foreach(
row=PathList,
query={
SELECT
timestamp(epoch=int(int=System.TimeCreated.SystemTime)) AS EventTime,
System.Computer as Computer,
System.EventID.Value as EventID,
System.EventRecordID as EventRecordID,
EventData.SubjectUserName as SubjectUserName,
EventData.SubjectDomainName as SubjectDomainName,
EventData.TargetUserName as TargetUserName,
EventData.TargetDomainName as TargetDomainName,
EventData.TargetServerName as TargetServerName,
EventData.ProcessName as ProcessName,
EventData,
Message,
OSPath
FROM parse_evtx(filename=OSPath, accessor=Accessor)
WHERE
EventID = 4648
AND EventTime < DateBeforeTime
AND EventTime > DateAfterTime
AND TargetUserName =~ UsernameRegex
AND NOT if(condition=UsernameWhitelist,
then= TargetUserName =~ UsernameWhitelist,
else= FALSE)
AND TargetServerName =~ ServerRegex
AND NOT if(condition=ServerWhitelist,
then= TargetServerName =~ ServerWhitelist,
else= FALSE)
AND ProcessName =~ ProcessNameRegex
AND NOT if(condition=ProcessNameWhitelist,
then= ProcessName =~ ProcessNameWhitelist,
else= FALSE)
}
)
SELECT * FROM evtxsearch(PathList=fspaths)
GROUP BY EventRecordID, Channel