MS14-058 Exploit

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Privilege Escalation
Description
Executes a specified executable file with SYSTEM privileges.
Example of Presumed Tool Use During an Attack
This tool is used to execute an executable file requiring administrator privileges as a standard user.

- Tool Operation Overview

Item Description
OS Windows 7
Belonging to Domain Not required
Rights Standard user

- Information Acquired from Log

Standard Settings
  • Host
    • Execution history (Prefetch)
Additional Settings
  • Host
    • Execution history (audit policy, Sysmon)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command ([Executable File of Tool] [Executable File Executed with Escalated Privileges])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (executable file of the tool)
  • User: Execute as user (non-privileged user who executed the tool)
2 Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (executable file of the tool)
  • Subject > Account Name: Name of the account that executed the tool (host name $)
3 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process (process ID of the tool executed in the immediately prior Sysmon Event ID: 1)
  • ParentImage: Executable file of the parent process (tool executed in the immediately prior Sysmon Event ID: 1)
  • CommandLine: Command line of the execution command ("executable file executed with escalated privileges" part specified by the command line of the immediately prior Sysmon Event ID 1)
  • ParentCommandLine: Command line of the parent process (CommandLine of the immediately prior Sysmon Event ID: 1)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NY AUTHORITY\SYSTEM)
  • Hashes: Hash value of the executable file (hash of the executable file, "executable file executed with escalated privileges", which is specified by the command line of the immediately prior Sysmon Even ID: 1)
  • Image: Path to the executable file (executable file part of "executable file executed with escalated privileges", which is specified by the command line of the immediately prior Sysmon Event ID: 1)

USN journal

# File Name Process
1 [Executable File of Tool]-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE

MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\[Executable File of Tool]-[RANDOM].pf FILE ALLOCATED

Prefetch


- Details: Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CommandLine: Command line of the execution command ([Executable File of Tool] [Executable File Executed with Escalated Privileges])
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (non-privileged user who executed the tool)
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (executable file of the tool)
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (non-privileged user who executed the tool)
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (executable file of the tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process (process ID of the tool executed in the immediately prior Sysmon Event ID: 1)
  • ParentImage: Executable file of the parent process (tool executed in the immediately prior Sysmon Event ID: 1)
  • CurrentDirectory: Work directory (path to the tool)
  • CommandLine: Command line of the execution command ("executable file executed with escalated privileges" part specified by the command line of the immediately prior Sysmon Event ID 1)
  • IntegrityLevel: Privilege level (System)
  • ParentCommandLine: Command line of the parent process (CommandLine of the immediately prior Sysmon Event ID: 1)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NY AUTHORITY\SYSTEM)
  • Hashes: Hash value of the executable file (hash of the executable file, "executable file executed with escalated privileges", which is specified by the command line of the immediately prior Sysmon Even ID: 1)
  • Image: Path to the executable file (executable file part of "executable file executed with escalated privileges", which is specified by the command line of the immediately prior Sysmon Event ID: 1)
Security 4688 Process Create A new process has been created.
  • Subject > Account Name: Name of the account that executed the tool (host name $)
  • Log Date and Time: Process execution date and time (local time)
  • Subject > Account Domain: Domain to which the account belongs (domain that the host belongs to)
  • Process Information > New Process Name: Path to the executable file (executable file of the tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. In Windows 7, "Creator Process ID" ("new process ID" in the immediately prior Event ID: 4688)
  • Subject > Logon ID: Session ID of the user who executed the process
3 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID (process ID of the tool)
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process (process ID of the executable file executed with escalated privileges)
  • GrantedAccess: Details of the granted access (0x1FFFFF)
  • SourceImage: Path to the access source process (executable file of the tool)
  • TargetImage: Path to the access destination process (path to the executable file executed with escalated privileges)
4 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\[Executable File of Tool]-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656/4663 File System A handle to an object was requested. / An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File of Tool]-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool
  • Access Request Information > Access: Requested privilege
  • Subject > Account Domain: Domain to which the account belongs
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
5 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (executable file of the tool)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool (host name $)
  • Log Date and Time: Process terminated date and time (local time)
  • Subject > Account Domain: Domain to which the account belongs (domain that the host belongs to)
  • Process Information > Process Name: Path to the executable file (executable file of the tool)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process

- USN Journal

# File Name Process Attribute
1 [Executable File of Tool]-[RANDOM].pf FILE_CREATE archive+not_indexed
[Executable File of Tool]-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
[Executable File of Tool]-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\[Executable File of Tool]-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 [Executable File of Tool]-[RANDOM].pf [Executable File of Tool] [Path to Tool] Last Run Time (last execution date and time)