Tapping Into ETW HTB Module:

Parent PID Spoofing Practice

RDP into box using provided VM instance
1. xfreerdp /u:’Administrator’ /p:’HTB_@cad3my_lab_W1n10_r00t!@0′ /v:10.129.205.123 /dynamic-resolution
3. It’s important to use /dynamic-resolution so you can manipulate the window to resize it
Using Process Hacker we now want to visualize what an abnormal parent-child relationship looks like. These might show up as for example Calc.exe having a child cmd.exe under it. This is abnormal and would be a red flag that something suspicious might be happening.
1. Lets use Parent PID Spoofing to see what this looks like in real time.
2. Here we will open Powershell and CD over to C:\Tools\psgetsystem
  1. For our benefit the VM has psgetsystem already installed
  2. You can find the install here: https://github.com/decoder-it/psgetsystem
3. Once here there’s a few steps to take:
  1. 1. This command starts a new PowerShell session with the execution policy set to Bypass. This allows scripts to run without being blocked by the execution policy. Execution policies are part of PowerShell’s security strategy to control the conditions under which PowerShell loads configuration files and runs scripts.
  2. 1. This command imports a PowerShell script as a module. By doing this, the functions and cmdlets defined in the psgetsys.ps1 script become available in the current session. The .\ indicates that the script is located in the current directory.
    2. This script in the HTB Module is already loaded for us
  4. This command invokes a static method CreateProcessFromParent from a custom class MyProcess. The method creates a new process (cmd.exe) with a parent process having the process ID 2356. The empty string “” suggests that no additional arguments are passed to cmd.exe. This is often used in scenarios where you want to spawn a new process under the context of an existing one, possibly to inherit permissions or for process injection.
Moving back over to Process Hacker we can now see that there is an abnormal process being executed under spoolsv.exe
2. You could go a step further and pull a Sysmon log and find that it shows spoolsv.exe as the parent of cmd.exe, even though Powershell is what executed it to happen

SilkETW Practice

Lets first get our ETW .json log running!
1. Head into cmd.exe and cd over to our tool SilkETW_SilkService_v8
  1. This will be pre-installed if you are using HTB’s instanced VM
  2. You can also find it here: https://github.com/mandiant/SilkETW
2. Once we have it installed (if not already) lets head back to cmd and run some lines!
  1. c:\Tools\SilkETW_SilkService_v8\v8\SilkETW>SilkETW.exe -t user -pn Microsoft-Windows-Kernel-Process -ot file -p C:\windows\temp\etw.json
    1. Now lets break this down a bit to explain what’s happening and why:
      1. SilkETW.exe:This is the executable file being run. SilkETW is a tool used for capturing and logging ETW (Event Tracing for Windows) events
        
        This is the tool that’s going to show us in detail what happened when we executed cmd to run through spoolsv.exe over in Powershell here in the following step
      2. -t user:-t specifies the trace type. The user trace type indicates that user-mode events are being traced
      3. -pn Microsoft-Windows-Kernel-Process: -pn specifies the provider name. The Microsoft-Windows-Kernel-Process provider is used for tracing process-related events in the Windows kernel
      4. -ot file: -ot specifies the output type. file indicates that the output will be written to a file
      5. -p C:\windows\temp\etw.json: -p specifies the path to the output file. In this case, the output will be saved as etw.json in the C:\windows\temp directory
Starting from the steps before we are going to open Powershell and run the same commands over:
1. PS C:\Tools\psgetsystem> powershell -ep bypass
2. PS C:\Tools\psgetsystem> Import-Module .\psgetsys.ps1
3. PS C:\Tools\psgetsystem> [MyProcess]::CreateProcessFromParent([Process ID of spoolsv.exe],”C:\Windows\System32\cmd.exe”,””)
  1. Remember to verify what process ID spoolsv.exe is running on. For me it was 2408.
  2. Now we can again see in Process Hacker that cmd.exe is being executed under spoolsv.exe
So now we have started our ETW.json file, this is running constantly in the background and I suggest you close the window after you are done. There’s no reason for it to keep spinning, we just wanted to capture the Powershell command above
1. Head over to your temp folder where we set the location path for the ETW file.
2. Pop it open!
  1. You’ll be greeted by a wall of data
  2. Let’s ctrl+f and find our process 2408
    2. You can use “by parent” to help filter
    4. And scanning to the left on this line we will find what we were looking for:
      2. This shows us that cmd.exe (PID for us is 560, you can verify this in process hunter) was created by powershell

Detecting Malicious .NET Assembly Loading // Seatbelt

Load up Sysmon with correct configuration to track event ID 7
1. This is done by opening the configuration and changing “include” to “exclude” under ImageLoad onmatch
Let’s emulate a malicious .NET assembly load by executing a precompiled version of Seatbelt that resides already on our HTB instance. Seatbelt is a well-known .NET assembly, often employed by adversaries who load and execute it in memory to gain situational awareness on a compromised system.
Open up Powershell and cd over to our tools directory and open GhostPack Compiled Binaries
Then run the existing file in here:
3. Here we can see it completed running showing a completed time
Now we can open up event viewer under Sysmon and find our Event ID 7
1. We will be looking for a ‘clr.dll’ and ‘mscoree.dll’ these are .NET related DLL’s
We can also open SilkETW like before, leave it running, and run our seatbelt.exe again
1. Go into our ETW.json file and search around and should find information about the loaded assembly, including method names
3. (Part of this is left out because it does show the flag 🙂