# 远程服务创建（Remote Service creation）

## 概述

```
———————————————————————————
|  编写作者  |    G4rb3n   |
---------------------------
|  攻击矩阵  |    T1021    |  
---------------------------
|  创建时间  |   2021-2-4  |  
---------------------------
|  修改时间  |   2021-2-4  |  
———————————————————————————
```

## 攻击场景

黑客通过创建远程服务来执行恶意代码，实现横向移动。

## 模拟攻击

## 威胁狩猎

### 狩猎原理

搜索登陆类型（logon session）为3，且登录账号为非特权账号的服务创建操作，即为远程服务创建的攻击行为。

```
——————————————————————————————————————————————————————————————————————————
|        日志类型        |    日志来源    |       行为场景      |   事件ID  |
--------------------------------------------------------------------------
|        Service        |    security   |   用户创建了一个服务  |    4697  |
--------------------------------------------------------------------------
|   Authentication log  |    security   |   用户登陆了一台主机  |    4624  |
——————————————————————————————————————————————————————————————————————————
```

### 初始化分析引擎

In [1]:
from openhunt.mordorutils import *
spark = get_spark()

### 下载&加载Mordor日志集

In [2]:
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_psexec_dcerpc_tcp_svcctl.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 


### 攻击日志统计

In [3]:
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |1144 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |596  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |351  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |347  |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |255  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |229  |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |224  |
|WORKSTATION6               |Windows PowerShell                      |800    |169  |
|WORKSTATION6.theshire.local|Microsoft-Windows-PowerShell/Operati

### 使用规则匹配攻击日志

筛选事件ID为4624（Authentication log）的事件

In [4]:
df = spark.sql(
'''
SELECT `@timestamp`, Hostname, SubjectUserName, ServiceName, ProcessName, IpAddress
    FROM mordorTable
    WHERE Channel = "security"
        AND EventID = 4624
'''
)
df.show(20, False)

+------------------------+---------------------------+---------------+-----------+-----------+-----------+
|@timestamp              |Hostname                   |SubjectUserName|ServiceName|ProcessName|IpAddress  |
+------------------------+---------------------------+---------------+-----------+-----------+-----------+
|2020-09-20T16:16:58.212Z|WORKSTATION6.theshire.local|-              |null       |-          |172.18.39.5|
+------------------------+---------------------------+---------------+-----------+-----------+-----------+



筛选事件ID为4624，且登录类型为3的事件

In [5]:
df = spark.sql(
'''
SELECT `@timestamp`, Hostname, SubjectUserName, ServiceName, ProcessName, IpAddress
    FROM mordorTable
    WHERE Channel = "security"
        AND EventID = 4624
        AND LogonType = 3
'''
)
df.show(20, False)

+------------------------+---------------------------+---------------+-----------+-----------+-----------+
|@timestamp              |Hostname                   |SubjectUserName|ServiceName|ProcessName|IpAddress  |
+------------------------+---------------------------+---------------+-----------+-----------+-----------+
|2020-09-20T16:16:58.212Z|WORKSTATION6.theshire.local|-              |null       |-          |172.18.39.5|
+------------------------+---------------------------+---------------+-----------+-----------+-----------+



筛选事件ID为4624，登录类型为3，且登陆用户名为非特权账号的事件

In [6]:
df = spark.sql(
'''
SELECT `@timestamp`, Hostname, SubjectUserName, ServiceName, ProcessName, IpAddress
    FROM mordorTable
    WHERE Channel = "security"
        AND EventID = 4624
        AND LogonType = 3
        AND NOT TargetUserName LIKE "%$"
'''
)
df.show(20, False)

+------------------------+---------------------------+---------------+-----------+-----------+-----------+
|@timestamp              |Hostname                   |SubjectUserName|ServiceName|ProcessName|IpAddress  |
+------------------------+---------------------------+---------------+-----------+-----------+-----------+
|2020-09-20T16:16:58.212Z|WORKSTATION6.theshire.local|-              |null       |-          |172.18.39.5|
+------------------------+---------------------------+---------------+-----------+-----------+-----------+



筛选事件ID为4624，登录类型为3，登陆用户名为非特权账号，且与事件ID4697相关联的事件

In [7]:
df = spark.sql(
'''
SELECT o.`@timestamp`, o.Hostname, o.SubjectUserName, o.ServiceName, a.ProcessName, a.IpAddress
FROM mordorTable o
INNER JOIN (
    SELECT TargetLogonId, ProcessName, IpAddress
    FROM mordorTable
    WHERE Channel = "security"
        AND EventID = 4624
        AND LogonType = 3            
        AND NOT TargetUserName LIKE "%$"
    ) a
ON o.SubjectLogonId = a.TargetLogonId
WHERE o.Channel = "security"
    AND o.EventID = 4697
'''
)
df.show(20, False)

+------------------------+---------------------------+---------------+-----------+-----------+-----------+
|@timestamp              |Hostname                   |SubjectUserName|ServiceName|ProcessName|IpAddress  |
+------------------------+---------------------------+---------------+-----------+-----------+-----------+
|2020-09-20T16:16:58.214Z|WORKSTATION6.theshire.local|pgustavo       |Updater    |-          |172.18.39.5|
+------------------------+---------------------------+---------------+-----------+-----------+-----------+



筛选出新创建服务的恶意代码

In [8]:
df = spark.sql(
'''
SELECT o.`@timestamp`, o.Hostname, o.SubjectUserName, o.ServiceName, a.IpAddress, o.ServiceFileName
FROM mordorTable o
INNER JOIN (
    SELECT TargetLogonId, ProcessName, IpAddress
    FROM mordorTable
    WHERE Channel = "security"
        AND EventID = 4624
        AND LogonType = 3            
        AND NOT TargetUserName LIKE "%$"
    ) a
ON o.SubjectLogonId = a.TargetLogonId
WHERE o.Channel = "security"
    AND o.EventID = 4697
'''
)
df.show(20, 85)

+------------------------+---------------------------+---------------+-----------+-----------+-------------------------------------------------------------------------------------+
|              @timestamp|                   Hostname|SubjectUserName|ServiceName|  IpAddress|                                                                      ServiceFileName|
+------------------------+---------------------------+---------------+-----------+-----------+-------------------------------------------------------------------------------------+
|2020-09-20T16:16:58.214Z|WORKSTATION6.theshire.local|       pgustavo|    Updater|172.18.39.5|%COMSPEC% /C start /b C:\Windows\System32\WindowsPowershell\v1.0\powershell -noP -...|
+------------------------+---------------------------+---------------+-----------+-----------+-------------------------------------------------------------------------------------+

