Collect WonkaVision logs from Windows hosts.
WonkaVision is a utility developed by @4ndr3w6S and @exploitph that is used to detect forged Kerberos tickets.
This artifact allows users to run the utility (if desired) and collect the relevant logs from the Windows Application log.
name: Windows.EventLogs.WonkaVision
description: |
Collect WonkaVision logs from Windows hosts.
WonkaVision is a utility developed by @4ndr3w6S and @exploitph that is used to detect forged Kerberos tickets.
This artifact allows users to run the utility (if desired) and collect the relevant logs from the Windows Application log.
reference:
- https://github.com/0xe7/WonkaVision
author: Wes Lambert - @therealwlambert
parameters:
- name: TargetGlob
default: '%SystemRoot%\System32\Winevt\Logs\Application.evtx'
- name: VSSAnalysisAge
type: int
default: 0
description: |
If larger than zero we analyze VSS within this many days
ago. (e.g 7 will analyze all VSS within the last week). Note
that when using VSS analysis we have to use the ntfs accessor
for everything which will be much slower.
- name: IdRegex
default: .
type: regex
- name: RunWonkaVision
type: bool
default: F
description: Run WonkaVision.exe
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET RunWV <= if(condition=RunWonkaVision, then={SELECT * FROM chain(a={SELECT * FROM Artifact.Exchange.Windows.Detection.WonkaVision()}, b=sleep(time=10))})
LET EventDescriptionTable <= SELECT * FROM parse_csv(accessor="data", filename='''
ID,Description
9988,Possible compromised session
9989,Possible forged ticket
''')
SELECT EventTime,
Computer,
Channel,
Provider,
EventID,
EventRecordID,
{ SELECT Description FROM EventDescriptionTable WHERE ID = EventID} AS Description,
if(condition = EventID =~ "9988",
then=grok(data=EventData, grok='''Possible compromised session\\nTotal Score: %{DATA:total_score}\\nSession: %{DATA:session}\\nMachine Name: %{DATA:machine_name}\\nUsername: %{DATA:user}\\n\\nIOAs:\\n\\n\\tUsernameMismatch: %{DATA:username_mismatch}\\n\\n\\nIOA Reasons: %{DATA:ioa_reasons}. '''),
else=grok(data=EventData, grok='''Possible forged ticket\\nTotal Score: %{DATA:total_score}\\nSession: %{DATA:session}\\nMachine Name: %{DATA:machine_name}\\nUser: %{DATA:user}\\nService Principal Name: %{DATA:service_principal_name}\\n\\nIOAs:%{DATA:ioa}\\n\\n\\tPasswordMustChange: %{DATA:password_must_change}\\n\\n\\nTool Scores:\\n\\tMimikatz Score: %{NUMBER:mimikatz_score}\\n\\tImpacket Score: %{NUMBER:impacket_score}\\n\\tRubeus Score: %{NUMBER:rubeus_score}\\n\\tCobalt Strike Score: %{NUMBER:cobalt_strike_score}\\n\\n\\nIOA Reasons: %{DATA:ioa_reasons}. ''',patterns=["Possible forged ticket\\nTotal Score: %{DATA:total_score}\\nSession: %{DATA:session}\\nMachine Name: %{DATA:machine_name}\\nUser: %{DATA:user}\\nService Principal Name: %{DATA:service_principal_name}\\n\\nIOAs:%{DATA:ioa}\\n\\n\\nTool Scores:\\n\\tMimikatz Score: %{NUMBER:mimikatz_score}\\n\\tImpacket Score: %{NUMBER:impacket_score}\\n\\tRubeus Score: %{NUMBER:rubeus_score}\\n\\tCobalt Strike Score: %{NUMBER:cobalt_strike_score}\\n\\n\\nIOA Reasons: %{GREEDYDATA:ioa_reasons}"])) AS EventDetails,
EventData.Data[0] AS EventDataOriginal
FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob=TargetGlob,
VSSAnalysisAge=VSSAnalysisAge,
IdRegex=IdRegex)
WHERE Provider =~ "Wonka"