MS14-068 Exploit

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Capturing the Domain Administrator Privilege and Account Credentials
Description
Changes the privileges of the domain user to domain administrator privileges.
Example of Presumed Tool Use During an Attack
This tool is used to perform malicious operations masquerading as an administrator by using an acquired domain user account.

- Tool Operation Overview

Item Source host Domain Controller
OS Windows Windows Server
Belonging to Domain Required
Rights Standard user
Communication Protocol 88/tcp, 445/tcp
Service Workstation Active Directory Domain Service

- Information Acquired from Log

Standard Settings
  • Source host
    • Execution history (Prefetch)
Additional Settings
  • Source host
    • Execution history (audit policy, Sysmon)
  • Domain Controller
    • The fact that privileges are granted to a standard user is recorded. Alternatively, the fact that such a request failed is recorded (audit policy).

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command ([Path to Tool] -u [User Name] -s [User SID] -d [Domain])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
  • User: Execute as user
2 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command ([Path to Tool "mimikatz"] "kerberos::ptc TGT_[User Name]@[Domain].ccache" exit)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to tool "mimikatz")
  • User: Execute as user
3 Security 4663 File System An attempt was made to access an object.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Name: Target file name ([Work Directory]\TGT_[User Name]@[Domain].ccache)

USN journal

# File Name Process
1 TGT_[User Name]@[Domain Name].ccache CLOSE+DATA_EXTEND+FILE_CREATE

MFT

# Path Header Flag Validity
1 [Work Directory]\TGT_[User Name]@[Domain Name].ccache FILE ALLOCATED

- Domain Controller

Event log

# Log Event ID Task Category Event Details
1 Security 4769 A Kerberos service ticket was requested A Kerberos service ticket was requested. (A Kerberos service ticket is requested by a ticket with an invalid SID. This request will fail (Error Code 0x3C: General error).)

- Details: Source Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command ([Path to Tool] -u [User Name] -s [User SID] -d [Domain])
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the tool)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters)
Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (executable file name of the tool)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID (process ID of the tool)
  • User: Execute as user
  • DestinationPort: Destination port number (88)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (path to the tool)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (88)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (path to the tool)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Application Information > Process ID: Process ID
3 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file ([Work Directory]\TGT_[User Name]@[Domain].ccache)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Work Directory]\TGT_[User Name]@[Domain].ccache)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Work Directory]\TGT_[User Name]@[Domain].ccache)
  • Access Request Information > Access: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (path to the tool)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
4 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to the tool)
  • Subject > Logon ID: Session ID of the user who executed the process
5 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command ([Path to Tool "mimikatz"] "kerberos::ptc TGT_[User Name]@[Domain].ccache" exit)
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to tool "mimikatz")
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to tool "mimikatz")
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
6 Security 4673 Sensitive Privilege Use A privileged service was called.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process > Process ID: ID of the process that used the privilege
  • Subject > Logon ID: Session ID of the user who executed the process
  • Service Request Information > Privilege: Privileges used (SeTcbPrivilege)
  • Process > Process Name: Process that used the privileges (path to the tool "mimikatz")
7 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to tool "mimikatz")
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to tool "mimikatz")
  • Subject > Logon ID: Session ID of the user who executed the process
8 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (Domain Controller host)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (445)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (System)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Application Information > Process ID: Process ID
9 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (Domain Controller host)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (88)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (88)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Application Information > Process ID: Process ID

- USN Journal

# File Name Process Attribute
1 TGT_[User Name]@[Domain Name].ccache FILE_CREATE archive
TGT_[User Name]@[Domain Name].ccache DATA_EXTEND+FILE_CREATE archive
TGT_[User Name]@[Domain Name].ccache CLOSE+DATA_EXTEND+FILE_CREATE archive

- MFT

# Path Header Flag Validity
1 [Work Directory]\TGT_[User Name]@[Domain Name].ccache FILE ALLOCATED

- Details: Destination Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (88)
  • SourceHostname: Source host name (Domain Controller host)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (88)
  • Network Information > Destination Address: Destination IP address (source host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller IP address)
  • Application Information > Process ID: Process ID
2 Security 4768 Kerberos Authentication Service A Kerberos authentication ticket (TGT) was requested.
  • Network Information > Client Address: Request source IP address of the ticket (source host IP address)
  • Account Information > Supplied Realm Name: Account domain (domain)
  • Additional Information > Ticket Option: Ticket setting details (0x50800000)
  • Account Information > Account Name: Name of the account from which the ticket was requested (user name)
  • Additional Information > Result Code: Ticket processing result (0x0)
  • Network Information > Client Port: Source port number of the ticket request (high port)
  • Account Information > User ID: SID of the account (SID of the user)
Security 4769 A Kerberos service ticket was requested A Kerberos service ticket was requested.
  • Network Information > Client Address: Source IP address that requested the ticket (source host IP address)
  • Account Information > Account Domain: Account domain (domain)
  • Account Information > Account Name: Name of the account from which the ticket was requested ([User Name]@[Domain])
  • Additional Information > Ticket Option: Ticket setting details (0x50800000)
  • Additional Information > Error Code: Ticket processing result (0x0)
  • Service Information > Service Name: Service name of the ticket (krbtgt)
  • Account Information > Logon GUID: Session ID of the logon
  • Service Information > Service ID: SID of the service (Kerberos SID)
  • Network Information > Client Port: Source port number of the ticket request (high port)
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (445)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (445)
  • Network Information > Destination Address: Destination IP address (source host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller IP address)
  • Application Information > Process ID: Process ID
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (88)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (88)
  • Network Information > Destination Address: Destination IP address (source host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (C:\Windows\System32\lsass.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller IP address)
  • Application Information > Process ID: Process ID
5 Security 4769 A Kerberos service ticket was requested A Kerberos service ticket was requested.
  • Network Information > Client Address: Source IP address that requested the ticket (source host IP address)
  • Account Information > Account Domain: Account domain (domain)
  • Account Information > Account Name: Name of the account from which the ticket was requested ([User Name]@[Domain])
  • Additional Information > Ticket Option: Ticket settings (0x40810000)
  • Additional Information > Error Code: Ticket processing result (0x3C)
  • Service Information > Service Name: Service name of the ticket (krbtgt)
  • Account Information > Logon GUID: Session ID of the logon ({00000000-0000-0000-0000-000000000000})
  • Service Information > Service ID: SID of the service (NULL SID)
  • Network Information > Client Port: Source port number of the ticket request (high port)

- Packet Capture

# Process Source Host Source Port Number Destination Host Destination Port Number Protocol/Application
1 AS-REQ ("include-pac" of Kerberos > as-req > padata > PA-DATA PA-PAC-REQUEST in the message indicates "False". [Source Host] [High Port] [Domain Controller] 88 KRB5
AS-REP [Domain Controller] 88 [Source Host] [High Port] KRB5
2 TGS-REQ ("include-pac" in Kerberos > tgs-req > padata > PA-DATA PA-PAC-REQUEST in the message indicates "False".) [Source Host] [High Port] [Domain Controller] 88 TCP
TGS-REP ("etype" in Kerberos > tgs-rep > ticket > enc-part in the message indicates "eTYPE-ARCFOUR-HMAC-MD5 (23)".) [Domain Controller] 88 [Source Host] [High Port] TCP
3 TGS-REQ (information of "enc-part" in Kerberos > tgs-req > padata > PA-DATA PA-TGS-REQ > padata-type > padata-value > ap-req > ticket in the message is the same as the content acquired with the immediately prior "TGS-REP" (eTYPE-ARCFOUR-HMAC-MD5).) [Source Host] [High Port] [Domain Controller] 88 KRB5
KRB Error: KRB5KRB_ERR_GENERIC (this message was presumably returned since "Error Code 0x3C" recorded in the Domain Controller Event ID: 4769 indicates a general purpose error.) [Domain Controller] 88 [Source Host] [High Port] KRB5