I was going through some articles and identified one of the best One-liners by @Leonard Savina.
Guide on detecting potential remote attacks on Windows systems using PowerShell commands and system tools.
Windows Security Log Analysis:
Configuration Setup:
Configure advanced security audit policy settings via Group Policy Object (GPO) to ensure necessary events are logged.
Enable auditing for specific categories like Process Tracking\Process Creation, Object Access\Detailed File Share, and Privilege Use\Sensitive Privilege Use.
Relevant Event IDs:
Event ID 5145: Monitors detailed file share accesses (e.g., ADMIN$, C$, IPC$) and detects write access requests (%%4417 = WriteData).
Event ID 4688: Tracks process creation events, focusing on elevated token types (TokenElevationTypeDefault or TokenElevationTypeFull).
Event ID 4674: Detects sensitive privilege use events, including SeTcbPrivilege, SeTakeOwnershipPrivilege, or SeDebugPrivilege.
PowerShell One-Liner:
Analyzing these events in succession might indicate a potential remote attack.
Command :- get-eventlog -log security | where-object { $_.TimeGenerated -gt (get-date).adddays(-5) -AND $_.EntryType -eq 'SuccessAudit' -AND (($_.EventID -eq "5145" -AND $_.Message -match "\\\\\*\\ADMIN\$|\\\\\*\\C\$|\\\\\*\\IPC\$" -AND $_.Message -match "\%\%4417") -OR ($_.EventID -eq "4674" -AND $_.Message -match "SeTakeOwnershipPrivilege|SeDebugPrivilege|SeTcbPrivilege") -OR ($_.EventID -eq "4688" -AND $_.Message -match "\%\%1936|\%\%1937"))} | sort-object -property TimeGenerated
Active Connection Analysis:
The following one-liner displays the netstat output and gives us the name of the process used now by the attacker in a more readable format than the netstat -anb command:
Command :- netstat -ano | Select-String -Pattern '\s+(TCP|UDP)' | foreach-object { $item = $_.line.split(' ',[System.StringSplitOptions]::RemoveEmptyEntries); if (($item[2] -notmatch '127.0.0.1:|\[::1\]:') -and ($item[2] -ne '*:*') -and ($item[2] -ne '0.0.0.0:0') -and ($item[2] -ne '[::]:0')) { ($item[0]+"`t"+$item[1]+"`t"+$item[2]+"`t"+$item[3]+"`t"+(get-process -id $item[4]).Name) | ft } }
or
netstat -ano | Select-String -Pattern '\s+(TCP|UDP)' | foreach-object {
$item = $_.line.split(' ',[System.StringSplitOptions]::RemoveEmptyEntries)
if ($item[4] -ne $null -and $item[4] -ne '') {
try {
$process = Get-Process -Id $item[4] -ErrorAction Stop
($item[0]+"`t"+$item[1]+"`t"+$item[2]+"`t"+$item[3]+"`t"+$process.Name) | ft
} catch {
Write-Host "Error getting process for ID $($item[4]): $_"
}
} else {
Write-Host "No valid Process ID found."
}
}
NOTE:- Beware that you should not enable the Object Access\Detailed File Share setting on all types of servers: For example on a DC, because the SYSVOL share is often accessed by all your domain clients this setting will generate an important volume of logs to store/analyze.
Comments