├── README.md ├── css ├── bootstrap.min.css └── dashboard.css ├── details ├── AceHash.htm ├── BITS.htm ├── BeginX.htm ├── FakeWpad.htm ├── Find-GPOPasswords.htm ├── Htran.htm ├── MS14-058.htm ├── MS14-068.htm ├── MS15-078.htm ├── Mimikatz_GoldenTicket.htm ├── Mimikatz_SilverTicket.htm ├── Mimikatz_lsadump-sam.htm ├── Mimikatz_sekurlsa-logonpasswords.htm ├── Mimikatz_sekurlsa-tickets.htm ├── PWDumpX.htm ├── PowerMemory.htm ├── PowerSploit_GetGPPPassword.htm ├── PowerSploit_Invoke-Mimikatz.htm ├── PowerSploit_Out-Minidump.htm ├── PsExec.htm ├── PwDump7.htm ├── QuarksPWDump.htm ├── RemoteLogin-Mimikatz.htm ├── RemoteLogin-WCE.htm ├── SDB-UAC-Bypass.htm ├── WCE.htm ├── WebBrowserPassView.htm ├── WinRM.htm ├── WinRS.htm ├── common │ ├── script.js │ └── style.css ├── csvde.htm ├── dcdiag.htm ├── dsquery.htm ├── gsecdump.htm ├── klist-purge.htm ├── ldifde.htm ├── lslsass.htm ├── mstsc.htm ├── net-use.htm ├── net-user.htm ├── nltest.htm ├── nmap.htm ├── ntdsutil.htm ├── schtasks.htm ├── sdelete.htm ├── timestomp.htm ├── vssadmin.htm ├── wevtutil.htm ├── wmic.htm └── wmiexec-vbs.htm ├── index.html ├── js ├── bootstrap.min.js └── jquery.min.js ├── overview.html └── tool-list.html /README.md: -------------------------------------------------------------------------------- 1 | # Tool Analysis Result Sheet 2 | This repository summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network. 3 | Tool Analysis Result Sheet is created in HTML and can be checked from the following URL. 4 | 5 | https://jpcertcc.github.io/ToolAnalysisResultSheet/ 6 | 7 | A report that outlines and usage of this research is published below. When using Tool Analysis Result Sheet, we recommend you to check the report. 8 | 9 | [Detecting Lateral Movement through Tracking Event Logs (Version 2)](http://www.jpcert.or.jp/english/pub/sr/ir_research.html) 10 | -------------------------------------------------------------------------------- /css/dashboard.css: -------------------------------------------------------------------------------- 1 | /* 2 | * Base structure 3 | */ 4 | 5 | /* Move down content because we have a fixed navbar that is 50px tall */ 6 | body { 7 | padding-top: 50px; 8 | } 9 | 10 | /* 11 | * Typography 12 | */ 13 | 14 | h1 { 15 | margin-bottom: 20px; 16 | padding-bottom: 9px; 17 | border-bottom: 1px solid #eee; 18 | } 19 | 20 | /* 21 | * Sidebar 22 | */ 23 | 24 | .sidebar { 25 | position: fixed; 26 | top: 51px; 27 | bottom: 0; 28 | left: 0; 29 | z-index: 1000; 30 | padding: 10px; 31 | overflow-x: hidden; 32 | overflow-y: auto; /* Scrollable contents if viewport is shorter than content. */ 33 | border-right: 1px solid #eee; 34 | background-color: #c0c0c0; 35 | } 36 | 37 | /* Sidebar navigation */ 38 | .sidebar { 39 | padding-left: 0; 40 | padding-right: 0; 41 | } 42 | 43 | .sidebar .nav { 44 | margin-bottom: 10px; 45 | font-weight: bold; 46 | color: #fffafa; 47 | } 48 | 49 | .sidebar .nav-item { 50 | width: 100%; 51 | padding: 0px 0px 0px 10px; 52 | font-weight: normal; 53 | } 54 | 55 | .sidebar .nav-item + .nav-item { 56 | margin-left: 0; 57 | } 58 | 59 | .sidebar .nav-link { 60 | border-radius: 0; 61 | } 62 | 63 | /* 64 | * Dashboard 65 | */ 66 | 67 | /* Placeholders */ 68 | .placeholders { 69 | padding-bottom: 3rem; 70 | } 71 | 72 | .placeholder img { 73 | padding-top: 1.5rem; 74 | padding-bottom: 1.5rem; 75 | } 76 | -------------------------------------------------------------------------------- /details/Mimikatz_lsadump-sam.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | mimikatz (Password and Hash Dump) 6 | 7 | 8 | 9 | 10 |

mimikatz > lsadump::sam

11 |

- Table of Contents

12 |
13 | 21 |

Open all sections | Close all sections

22 |
23 |
24 |

- Tool Overview

25 |
26 |
27 |
Category
28 |
Password and Hash Dump
29 |
Description
30 |
Steals authentication information stored in the OS.
31 |
Example of Presumed Tool Use During an Attack
32 |
This tool is used to acquire a user's password and use it for unauthorized login.
33 |
34 |
35 |

- Tool Operation Overview

36 |
37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 |
ItemDescription
OSWindows
Belonging to DomainNot required
RightsAdministrator
59 |
60 |

- Information Acquired from Log

61 |
62 |
63 |
Standard Settings
64 |
    65 |
  • Host
      66 |
    • Execution history (Prefetch)
      • 67 |
    • 68 |
69 |
Additional Settings
70 |
    71 |
  • Host
      72 |
    • Execution history (audit policy, Sysmon)
      • 73 |
    • Access to winlogon.exe (Sysmon)
      • 74 |
    • 75 |
76 |
77 |
78 |

- Evidence That Can Be Confirmed When Execution is Successful

79 |
80 | 83 |
84 |

- Main Information Recorded at Execution

85 |
86 |

- Host

87 |
88 |

Event log

89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 124 | 125 | 126 |
#LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    106 |
  • CommandLine: Command line of the execution command (path to the tool)
    • 107 |
  • UtcTime: Process execution date and time (UTC)
    • 108 |
  • ProcessGuid/ProcessId: Process ID
    • 109 |
  • Image: Path to the executable file (path to the tool)
    • 110 |
  • User: Execute as user
    • 111 |
2Microsoft-Windows-Sysmon/Operational10Process accessed (rule: ProcessAccess)Process accessed.
    119 |
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
    • 120 |
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
    • 121 |
  • SourceImage: Path to the access source process (path to the tool)
    • 122 |
  • TargetImage: Path to the access destination process (C:\Windows\system32\winlogon.exe)
    • 123 |
127 |

Prefetch

128 | 131 |
132 |
133 |
134 |

- Details: Host

135 |
136 |

- Event Log

137 |
138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 310 | 311 | 312 |
#Event LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    155 |
  • LogonGuid/LogonId: ID of the logon session
    • 156 |
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
    • 157 |
  • ParentImage: Executable file of the parent process
    • 158 |
  • CurrentDirectory: Work directory
    • 159 |
  • CommandLine: Command line of the execution command (path to the tool)
    • 160 |
  • IntegrityLevel: Privilege level (High)
    • 161 |
  • ParentCommandLine: Command line of the parent process
    • 162 |
  • UtcTime: Process execution date and time (UTC)
    • 163 |
  • ProcessGuid/ProcessId: Process ID
    • 164 |
  • User: Execute as user
    • 165 |
  • Hashes: Hash value of the executable file
    • 166 |
  • Image: Path to the executable file (path to the tool)
    • 167 |
Security4688Process CreateA new process has been created.
    175 |
  • Process Information > Required Label: Necessity of privilege escalation
    • 176 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 177 |
  • Process Information > Source Process Name: Path to parent process that created the new process
    • 178 |
  • Log Date and Time: Process execution date and time (local time)
    • 179 |
  • Process Information > New Process Name: Path to the executable file (path to the tool)
    • 180 |
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
    • 181 |
  • Process Information > New Process ID: Process ID (hexadecimal)
    • 182 |
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
    • 183 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 184 |
2Security4673Sensitive Privilege UseA privileged service was called.
    192 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 193 |
  • Process > Process ID: ID of the process that used the privilege (path to the tool)
    • 194 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 195 |
  • Service Request Information > Privilege: Privileges used (SeTcbPrivilege)
    • 196 |
  • Process > Process Name: Process that used the privilege
    • 197 |
3Microsoft-Windows-Sysmon/Operational11File created (rule: FileCreate)File created.
    205 |
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
    • 206 |
  • ProcessGuid/ProcessId: Process ID
    • 207 |
  • TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 208 |
  • CreationUtcTime: File creation date and time (UTC)
    • 209 |
Security4656File System/Other Object Access EventsA handle to an object was requested.
    217 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 218 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
    • 219 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 220 |
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 221 |
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
    • 222 |
  • Object > Object Type: Type of the file (File)
    • 223 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 224 |
  • Object > Handle ID: ID of the relevant handle
    • 225 |
Security4663File SystemAn attempt was made to access an object.
    233 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 234 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
    • 235 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 236 |
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 237 |
  • Audit Success: Success or failure (access successful)
    • 238 |
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
    • 239 |
  • Object > Object Type: Category of the target (File)
    • 240 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 241 |
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
    • 242 |
Security4658File SystemThe handle to an object was closed.
    250 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 251 |
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
    • 252 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 253 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 254 |
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
    • 255 |
4Security4703Token Right Adjusted EventsA token right was adjusted.
    263 |
  • Disabled Privileges: Disabled privileges (-)
    • 264 |
  • Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain
    • 265 |
  • Target Account > Logon ID: Session ID of the target user
    • 266 |
  • Enabled Privileges: Enabled privileges (SeDebugPrivilege)
    • 267 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 268 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 269 |
  • Process Information > Process ID: ID of the executed process
    • 270 |
  • Process Information > Process Name: Name of the process executed (path to the tool)
    • 271 |
Microsoft-Windows-Sysmon/Operational10Process accessed (rule: ProcessAccess)Process accessed.
    279 |
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
    • 280 |
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
    • 281 |
  • GrantedAccess: Details of the granted access
    • 282 |
  • SourceImage: Path to the access source process (path to the tool)
    • 283 |
  • TargetImage: Path to the access destination process (C:\Windows\system32\winlogon.exe)
    • 284 |
5Microsoft-Windows-Sysmon/Operational5Process terminated (rule: ProcessTerminate)Process terminated.
    292 |
  • UtcTime: Process terminated date and time (UTC)
    • 293 |
  • ProcessGuid/ProcessId: Process ID
    • 294 |
  • Image: Path to the executable file (path to the tool)
    • 295 |
Security4689Process TerminationA process has exited.
    303 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 304 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 305 |
  • Process Information > Exit Status: Process return value (0xC000013A)
    • 306 |
  • Log Date and Time: Process terminated date and time (local time)
    • 307 |
  • Process Information > Process Name: Path to the executable file (path to the tool)
    • 308 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 309 |
313 |
314 |

- USN Journal

315 |
316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 |
#File NameProcessAttribute
1[Executable File Name of Tool]-[RANDOM].pfFILE_CREATEarchive+not_indexed
[Executable File Name of Tool]-[RANDOM].pfDATA_EXTEND+FILE_CREATEarchive+not_indexed
[Executable File Name of Tool]-[RANDOM].pfCLOSE+DATA_EXTEND+FILE_CREATEarchive+not_indexed
346 |
347 |

- MFT

348 |
349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 |
#PathHeader FlagValidity
1[Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pfFILEALLOCATED
367 |
368 |

- Prefetch

369 |
370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 |
#Prefetch FileProcess NameProcess PathInformation That Can Be Confirmed
1C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf[Executable File Name of Tool][Path to Tool]Last Run Time (last execution date and time)
390 |
391 |
392 | 393 | 394 | -------------------------------------------------------------------------------- /details/PwDump7.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | PwDump7 6 | 7 | 8 | 9 | 10 |

PwDump7

11 |

- Table of Contents

12 |
13 | 21 |

Open all sections | Close all sections

22 |
23 |
24 |

- Tool Overview

25 |
26 |
27 |
Category
28 |
Password and Hash Dump
29 |
Description
30 |
Displays a list of password hashes in the host.
31 |
Example of Presumed Tool Use During an Attack
32 |
This tool is used to use the acquired hash information and log on to the other hosts.
33 |
34 |
35 |

- Tool Operation Overview

36 |
37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 |
ItemDescription
OSWindows
Belonging to DomainNot required
RightsAdministrator
59 |
60 |

- Information Acquired from Log

61 |
62 |
63 |
Standard Settings
64 |
    65 |
  • Host
      66 |
    • Execution history (Prefetch)
      • 67 |
    • 68 |
69 |
Additional Settings
70 |
    71 |
  • Host
      72 |
    • Execution history (audit policy, Sysmon)
      • 73 |
    • 74 |
75 |
76 |
77 |

- Evidence That Can Be Confirmed When Execution is Successful

78 |
79 | 82 |
83 |

- Main Information Recorded at Execution

84 |
85 |

- Host

86 |
87 |

Event log

88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 124 | 125 | 126 |
#LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    105 |
  • CommandLine: Command line of the execution command
    • 106 |
  • UtcTime: Process execution date and time (UTC)
    • 107 |
  • ProcessGuid/ProcessId: Process ID
    • 108 |
  • Image: Path to the executable file (executable file name of the tool)
    • 109 |
  • User: Execute as user
    • 110 |
2Security4689Process TerminationA process has exited.
    118 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 119 |
  • Log Date and Time: Process terminated date and time (local time)
    • 120 |
  • Process Information > Exit Status: Process return value
    • 121 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 122 |
  • Process Information > Process Name: Path to the executable file
    • 123 |
127 |

USN journal

128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 |
#File NameProcess
1[Executable File Name of Tool]-[RANDOM].pfCLOSE+DATA_EXTEND+FILE_CREATE
144 |

MFT

145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 |
#PathHeader FlagValidity
1[Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pfFILEALLOCATED
163 |

Prefetch

164 | 167 |
168 |
169 |
170 |

- Details: Host

171 |
172 |

- Event Log

173 |
174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 301 | 302 | 303 |
#Event logEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    191 |
  • LogonGuid/LogonId: ID of the logon session
    • 192 |
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
    • 193 |
  • ParentImage: Executable file of the parent process
    • 194 |
  • CommandLine: Command line of the execution command
    • 195 |
  • ParentCommandLine: Command line of the parent process
    • 196 |
  • UtcTime: Process execution date and time (UTC)
    • 197 |
  • ProcessGuid/ProcessId: Process ID
    • 198 |
  • User: Execute as user
    • 199 |
  • Hashes: Hash value of the executable file
    • 200 |
  • Image: Path to the executable file (executable file name of the tool)
    • 201 |
Security4688Process CreateA new process has been created.
    209 |
  • Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)
    • 210 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 211 |
  • Process Information > Source Process Name: Path to parent process that created the new process
    • 212 |
  • Log Date and Time: Process execution date and time (local time)
    • 213 |
  • Process Information > New Process Name: Path to the executable file (executable file name of the tool)
    • 214 |
  • Process Information > Token Escalation Type: Presence of privilege escalation (2)
    • 215 |
  • Process Information > New Process ID: Process ID (hexadecimal)
    • 216 |
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
    • 217 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 218 |
2Microsoft-Windows-Sysmon/Operational5Process terminated (rule: ProcessTerminate)Process terminated.
    226 |
  • UtcTime: Process terminated date and time (UTC)
    • 227 |
  • ProcessGuid/ProcessId: Process ID
    • 228 |
  • Image: Path to the executable file (executable file name of the tool)
    • 229 |
Security4689Process TerminationA process has exited.
    237 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 238 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 239 |
  • Process Information > Exit Status: Process return value
    • 240 |
  • Log Date and Time: Process terminated date and time (local time)
    • 241 |
  • Process Information > Process Name: Path to the executable file
    • 242 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 243 |
3Microsoft-Windows-Sysmon/Operational11File created (rule: FileCreate)File created.
    251 |
  • Image: Path to the executable file (executable file name of the tool)
    • 252 |
  • ProcessGuid/ProcessId: Process ID
    • 253 |
  • TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 254 |
  • CreationUtcTime: File creation date and time (UTC)
    • 255 |
Security4656File System/Other Object Access EventsA handle to an object was requested.
    263 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 264 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
    • 265 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 266 |
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 267 |
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
    • 268 |
  • Object > Object Type: Type of the file (File)
    • 269 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 270 |
  • Object > Handle ID: ID of the relevant handle
    • 271 |
Security4663File SystemAn attempt was made to access an object.
    279 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 280 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
    • 281 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 282 |
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 283 |
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
    • 284 |
  • Object > Object Type: Category of the target (File)
    • 285 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 286 |
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
    • 287 |
Security4658File SystemThe handle to an object was closed.
    295 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 296 |
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
    • 297 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 298 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 299 |
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
    • 300 |
304 |
305 |

- USN Journal

306 |
307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 |
#File NameProcessAttribute
1[Executable File Name of Tool]-[RANDOM].pfFILE_CREATEarchive+not_indexed
[Executable File Name of Tool]-[RANDOM].pfDATA_EXTEND+FILE_CREATEarchive+not_indexed
[Executable File Name of Tool]-[RANDOM].pfCLOSE+DATA_EXTEND+FILE_CREATEarchive+not_indexed
337 |
338 |

- MFT

339 |
340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 |
#PathHeader FlagValidity
1[Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pfFILEALLOCATED
358 |
359 |

- Prefetch

360 |
361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 |
#Prefetch FileProcess NameProcess PathInformation That Can Be Confirmed
1C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf[Executable File Name of Tool]\VOLUME{[GUID]}\[Path to the Tool]Last Run Time (last execution date and time)
381 |
382 |
383 | 384 | 385 | -------------------------------------------------------------------------------- /details/common/script.js: -------------------------------------------------------------------------------- 1 | function showhide(id) { 2 | var bspace = document.getElementById("div-" + id); 3 | var button = document.getElementById("a-" + id); 4 | if(bspace.style.display != "none") { 5 | bspace.style.display = "none"; 6 | button.innerHTML = "+"; 7 | } else { 8 | bspace.style.display = "block"; 9 | button.innerHTML = "-"; 10 | } 11 | } 12 | 13 | function collapseall(mode) { 14 | var items = [ 'Summary', 'ExecCondition', 'Findings', 'SuccessCondition', 'KeyEvents', 'HostDetails', 'SourceDetails', 'DestinationDetails', 'ADDetails', 'Packets', 'Notes' ]; 15 | for(i = 0; i < items.length; i++) { 16 | elem_div = document.getElementById("div-" + items[i]); 17 | elem_a = document.getElementById("a-" + items[i]); 18 | if((elem_div == null) || (elem_a == null)) continue; 19 | if(mode == 's') { 20 | elem_div.style.display = "block"; 21 | elem_a.innerHTML = "-"; 22 | } else if(mode == 'h') { 23 | elem_div.style.display = "none"; 24 | elem_a.innerHTML = "+"; 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /details/common/style.css: -------------------------------------------------------------------------------- 1 | * { 2 | font-family:-apple-system,system-ui,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"游ゴシック体","Yu Gothic",YuGothic,"Hiragino Kaku Gothic ProN", Meiryo,sans-serif; 3 | } 4 | 5 | a.collapse { 6 | border: 1px solid; 7 | color: #000000; 8 | font-size: smaller; 9 | font-weight: normal; 10 | padding-left: 5px; 11 | padding-right: 5px; 12 | text-decoration: none; 13 | font-family:-apple-system,system-ui,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"游ゴシック体","Yu Gothic",YuGothic,"Hiragino Kaku Gothic ProN", Meiryo,sans-serif; 14 | } 15 | 16 | h1.title { 17 | background-color: #000000; 18 | color: #FFFFFF; 19 | } 20 | 21 | h2.section { 22 | } 23 | 24 | div.section { 25 | display: block; 26 | margin-bottom: 5em; 27 | padding-left: 1%; 28 | padding-right: 1%; 29 | } 30 | 31 | div.toc { 32 | display: block; 33 | margin-bottom: 5em; 34 | padding-left: 1%; 35 | padding-right: 1%; 36 | } 37 | 38 | dl.table { 39 | } 40 | 41 | dt.table { 42 | border-bottom-width: 1px; 43 | border-bottom-style: solid; 44 | border-bottom-color: #000000; 45 | border-left-width: 6px; 46 | border-left-style: solid; 47 | border-left-color: #000000; 48 | font-weight: bold; 49 | margin-bottom: 1em; 50 | margin-top: 2em; 51 | padding-bottom: 3px; 52 | padding-left: 10px; 53 | } 54 | 55 | dd.table { 56 | margin-left: 0; 57 | } 58 | 59 | hr.section_divider { 60 | border-color: #CCCCCC; 61 | border-style: solid; 62 | border-width: 3px; 63 | } 64 | 65 | span.strong { 66 | font-weight: bold; 67 | } 68 | 69 | table.border { 70 | border-color: #000000; 71 | border-style: solid; 72 | border-width: 2px; 73 | } 74 | 75 | td.border { 76 | border-style: solid; 77 | border-width: 1px; 78 | padding-left: 1em; 79 | padding-right: 1em; 80 | } 81 | 82 | td.border_header { 83 | border-style: solid; 84 | border-width: 1px; 85 | font-weight: bold; 86 | padding-left: 1em; 87 | padding-right: 1em; 88 | } 89 | 90 | th.border_header { 91 | background-color: #000000 !important; 92 | border-style: solid; 93 | border-width: 1px; 94 | color: #FFFFFF; 95 | font-weight: bold; 96 | padding-left: 1em; 97 | padding-right: 1em; 98 | } 99 | 100 | tr.border { 101 | border-style: solid; 102 | border-width: 1px; 103 | } 104 | 105 | 106 | @media print { 107 | a.collapse { 108 | display: none; 109 | } 110 | div.toc { 111 | display: none; 112 | margin-bottom: 5em; 113 | padding-left: 1%; 114 | padding-right: 1%; 115 | } 116 | h2.toc { 117 | display: none; 118 | } 119 | p.toc_command { 120 | display: none; 121 | } 122 | thead { 123 | display: table-header-group; 124 | } 125 | } 126 | -------------------------------------------------------------------------------- /details/dsquery.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | dsquery 6 | 7 | 8 | 9 | 10 |

dsquery

11 |

- Table of Contents

12 |
13 | 22 |

Open all sections | Close all sections

23 |
24 |
25 |

- Tool Overview

26 |
27 |
28 |
Category
29 |
Information Collection
30 |
Description
31 |
Acquires information, such as users and groups, from the Active Directory.
32 |
Example of Presumed Tool Use During an Attack
33 |
This tool is used to collect information on the Active Directory and select users and hosts that can be attack targets.
34 |
35 |
36 |

- Tool Operation Overview

37 |
38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 |
ItemDescription
OSWindows Server
Belonging to DomainNot required
RightsStandard user (However, information that cannot be acquired exists depending on the user privileges.)
Communication Protocol389/tcp
ServiceActive Directory Domain Services
68 |
69 |

- Information Acquired from Log

70 |
71 |
72 |
Standard Settings
73 |
    74 |
  • Host
      75 |
    • Execution history (Prefetch)
      • 76 |
    • 77 |
78 |
Additional Settings
79 |
    80 |
  • Host
      81 |
    • Execution history (Sysmon, audit policy)
      • 82 |
    • 83 |
84 |
85 |
86 |

- Evidence That Can Be Confirmed When Execution is Successful

87 |
88 | 91 |
92 |

- Main Information Recorded at Execution

93 |
94 |

- Domain Controller

95 |
96 |

Event log

97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 146 | 147 | 148 |
#LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    114 |
  • CommandLine: Command line of the execution command (Path to the tool. Filter conditions can be identified.)
    • 115 |
  • UtcTime: Process execution date and time (UTC)
    • 116 |
  • ProcessGuid/ProcessId: Process ID
    • 117 |
  • Image: Path to the executable file (path to the tool)
    • 118 |
  • User: Execute as user
    • 119 |
2Security4689Process TerminationA process has exited.
    127 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 128 |
  • Log Date and Time: Process terminated date and time (local time)
    • 129 |
  • Process Information > Exit Status: Process return value (0x0 if successful)
    • 130 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 131 |
  • Process Information > Process Name: Path to the executable file (path to the tool)
    • 132 |
3Microsoft-Windows-Sysmon/Operational3Network connection detected (rule: NetworkConnect)Network connection detected.
    140 |
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (port: 389)
    • 141 |
  • Protocol: Protocol (tcp)
    • 142 |
  • Image: Path to the executable file (path to the tool)
    • 143 |
  • ProcessGuid/ProcessId: Process ID
    • 144 |
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number
    • 145 |
149 |
150 |
151 |
152 |

- Details: Domain Controller

153 |
154 |

- Event Log

155 |
156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 296 | 297 | 298 |
#Event LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    173 |
  • LogonGuid/LogonId: ID of the logon session
    • 174 |
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
    • 175 |
  • ParentImage: Executable file of the parent process
    • 176 |
  • Image: Path to the executable file (path to the tool)
    • 177 |
  • ParentCommandLine: Command line of the parent process
    • 178 |
  • UtcTime: Process execution date and time (UTC)
    • 179 |
  • ProcessGuid/ProcessId: Process ID
    • 180 |
  • User: Execute as user
    • 181 |
  • Hashes: Hash value of the executable file
    • 182 |
  • CommandLine: Command line of the execution command (Path to the tool. Filter conditions can be identified.)
    • 183 |
Security4688Process CreateA new process has been created.
    191 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 192 |
  • Log Date and Time: Process execution date and time (local time)
    • 193 |
  • Process Information > New Process Name: Path to the executable file (path to the tool)
    • 194 |
  • Process Information > Token Escalation Type: Presence of privilege escalation
    • 195 |
  • Process Information > New Process ID: Process ID (hexadecimal)
    • 196 |
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
    • 197 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 198 |
2Microsoft-Windows-Sysmon/Operational3Network connection detected (rule: NetworkConnect)Network connection detected.
    206 |
  • Protocol: Protocol (tcp)
    • 207 |
  • Image: Path to the executable file (path to the tool)
    • 208 |
  • ProcessGuid/ProcessId: Process ID
    • 209 |
  • User: Execute as user
    • 210 |
  • DestinationPort: Destination port number (389)
    • 211 |
  • SourcePort: Source port number (high port)
    • 212 |
Security5158Filtering Platform ConnectionThe Windows Filtering Platform has permitted a bind to a local port.
    220 |
  • Network Information > Protocol: Protocol used (6=TCP)
    • 221 |
  • Network Information > Source Port: Bind local port (high port)
    • 222 |
  • Application Information > Process ID: Process ID
    • 223 |
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\[Path to Tool])
    • 224 |
Security5156Filtering Platform ConnectionThe Windows Filtering Platform has allowed a connection.
    232 |
  • Network Information > Destination Port: Destination port number (389)
    • 233 |
  • Network Information > Source Port: Source port number (high port)
    • 234 |
  • Network Information > Destination Address: Destination IP address (Domain Controller)
    • 235 |
  • Network Information > Protocol: Protocol used (6=TCP)
    • 236 |
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\[Path to Tool])
    • 237 |
  • Network Information > Direction: Communication direction (outbound)
    • 238 |
  • Network Information > Source Address: Source IP address (source host)
    • 239 |
  • Application Information > Process ID: Process ID
    • 240 |
3Microsoft-Windows-Sysmon/Operational3Network connection detected (rule: NetworkConnect)Network connection detected.
    248 |
  • Protocol: Protocol
    • 249 |
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
    • 250 |
  • ProcessGuid/ProcessId: Process ID
    • 251 |
  • User: Execute as user
    • 252 |
  • DestinationPort: Destination port number (high port)
    • 253 |
  • SourcePort: Source port number (389)
    • 254 |
Security5156Filtering Platform ConnectionThe Windows Filtering Platform has allowed a connection.
    262 |
  • Network Information > Destination Port: Destination port number (high port)
    • 263 |
  • Network Information > Source Port: Source port number (389)
    • 264 |
  • Network Information > Destination Address: Destination IP address (source host)
    • 265 |
  • Network Information > Protocol: Protocol used (6=TCP)
    • 266 |
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
    • 267 |
  • Network Information > Direction: Communication direction (inbound)
    • 268 |
  • Network Information > Source Address: Source IP address (Domain Controller)
    • 269 |
  • Application Information > Process ID: Process ID
    • 270 |
4Microsoft-Windows-Sysmon/Operational5Process terminated (rule: ProcessTerminate)Process terminated.
    278 |
  • UtcTime: Process terminated date and time (UTC)
    • 279 |
  • ProcessGuid/ProcessId: Process ID
    • 280 |
  • Image: Path to the executable file (path to the tool)
    • 281 |
Security4689Process TerminationA process has exited.
    289 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 290 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 291 |
  • Process Information > Exit Status: Process return value (0x0 if successful)
    • 292 |
  • Log Date and Time: Process terminated date and time (local time)
    • 293 |
  • Process Information > Process Name: Path to the executable file (path to the tool)
    • 294 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 295 |
299 |
300 |
301 |
302 |

- Remarks

303 |
304 | 307 |
308 | 309 | 310 | -------------------------------------------------------------------------------- /details/klist-purge.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | klist purge 6 | 7 | 8 | 9 | 10 |

klist purge

11 |

- Table of Contents

12 |
13 | 21 |

Open all sections | Close all sections

22 |
23 |
24 |

- Tool Overview

25 |
26 |
27 |
Category
28 |
Deleting Evidence
29 |
Description
30 |
Deletes saved Kerberos tickets.
31 |
Example of Presumed Tool Use During an Attack
32 |
This tool is used to delete Kerberos tickets used during an attack from the host.
33 |
34 |
35 |

- Tool Operation Overview

36 |
37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 |
ItemDescription
OSWindows
Belonging to DomainRequired
RightsStandard user
59 |
60 |

- Information Acquired from Log

61 |
62 |
63 |
Standard Settings
64 |
    65 |
  • Host
      66 |
    • Execution history (Prefetch)
      • 67 |
    • 68 |
69 |
Additional Settings
70 |
    71 |
  • Host
      72 |
    • Execution history (audit policy)
      • 73 |
    • 74 |
75 |
76 |
77 |

- Evidence That Can Be Confirmed When Execution is Successful

78 |
79 | 82 |
83 |

- Main Information Recorded at Execution

84 |
85 |

- Host

86 |
87 |

Event log

88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 123 | 124 | 125 |
#LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    105 |
  • CommandLine: Command line of the execution command (klist purge)
    • 106 |
  • UtcTime: Process execution date and time (UTC)
    • 107 |
  • ProcessGuid/ProcessId: Process ID
    • 108 |
  • Image: Path to the executable file (C:\Windows\System32\klist.exe)
    • 109 |
  • User: Execute as user
    • 110 |
2Security4689Process TerminationA process has exited.
    118 |
  • Log Date and Time: Process terminated date and time (local time)
    • 119 |
  • Process Information > Exit Status: Process return value (0x0)
    • 120 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 121 |
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\klist.exe)
    • 122 |
126 |
127 |
128 |
129 |

- Details: Host

130 |
131 |

- Event Log

132 |
133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 252 | 253 | 254 |
#Event LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    150 |
  • LogonGuid/LogonId: ID of the logon session
    • 151 |
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
    • 152 |
  • ParentImage: Executable file of the parent process
    • 153 |
  • CurrentDirectory: Work directory
    • 154 |
  • CommandLine: Command line of the execution command (klist purge)
    • 155 |
  • IntegrityLevel: Privilege level (Medium)
    • 156 |
  • ParentCommandLine: Command line of the parent process
    • 157 |
  • UtcTime: Process execution date and time (UTC)
    • 158 |
  • ProcessGuid/ProcessId: Process ID
    • 159 |
  • User: Execute as user
    • 160 |
  • Hashes: Hash value of the executable file
    • 161 |
  • Image: Path to the executable file (C:\Windows\System32\klist.exe)
    • 162 |
Security4688Process CreateA new process has been created.
    170 |
  • Process Information > Required Label: Necessity of privilege escalation
    • 171 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 172 |
  • Process Information > Source Process Name: Path to parent process that created the new process
    • 173 |
  • Log Date and Time: Process execution date and time (local time)
    • 174 |
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\klist.exe)
    • 175 |
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
    • 176 |
  • Process Information > New Process ID: Process ID (hexadecimal)
    • 177 |
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
    • 178 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 179 |
2Microsoft-Windows-Sysmon/Operational5Process terminated (rule: ProcessTerminate)Process terminated.
    187 |
  • UtcTime: Process terminated date and time (UTC)
    • 188 |
  • ProcessGuid/ProcessId: Process ID
    • 189 |
  • Image: Path to the executable file (C:\Windows\System32\klist.exe)
    • 190 |
Security4689Process TerminationA process has exited.
    198 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 199 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 200 |
  • Process Information > Exit Status: Process return value (0x0)
    • 201 |
  • Log Date and Time: Process terminated date and time (local time)
    • 202 |
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\klist.exe)
    • 203 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 204 |
3Security4656File System/Other Object Access EventsA handle to an object was requested.
    212 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 213 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
    • 214 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 215 |
  • Object > Object Name: Target file name (C:\Windows\Prefetch\KLIST.EXE-[RANDOM].pf)
    • 216 |
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
    • 217 |
  • Object > Object Type: Type of the file (File)
    • 218 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 219 |
  • Object > Handle ID: ID of the relevant handle
    • 220 |
Security4663File SystemAn attempt was made to access an object.
    228 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 229 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
    • 230 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 231 |
  • Object > Object Name: Target file name (C:\Windows\Prefetch\KLIST.EXE-[RANDOM].pf)
    • 232 |
  • Access Request Information > Access: Requested privilege
    • 233 |
  • Audit Success: Success or failure (access successful)
    • 234 |
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
    • 235 |
  • Object > Object Type: Category of the target (File)
    • 236 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 237 |
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
    • 238 |
Security4658File SystemThe handle to an object was closed.
    246 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 247 |
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
    • 248 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 249 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 250 |
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
    • 251 |
255 |
256 |

- USN Journal

257 |
258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 |
#File NameProcessAttribute
1KLIST.EXE-[RANDOM].pfFILE_CREATEarchive+not_indexed
KLIST.EXE-[RANDOM].pfDATA_EXTEND+FILE_CREATEarchive+not_indexed
KLIST.EXE-[RANDOM].pfCLOSE+DATA_EXTEND+FILE_CREATEarchive+not_indexed
288 |
289 |

- MFT

290 |
291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 |
#PathHeader FlagValidity
1[Drive Name]:\Windows\Prefetch\KLIST.EXE-[RANDOM].pfFILEALLOCATED
309 |
310 |

- Prefetch

311 |
312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 |
#Prefetch FileProcess NameProcess PathInformation That Can Be Confirmed
1C:\Windows\Prefetch\KLIST.EXE-[RANDOM].pfKLIST.EXEC:\WINDOWS\SYSTEM32\KLIST.EXELast Run Time (last execution date and time)
332 |
333 |
334 | 335 | 336 | -------------------------------------------------------------------------------- /details/ldifde.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ldifde 6 | 7 | 8 | 9 | 10 |

ldifde

11 |

- Table of Contents

12 |
13 | 22 |

Open all sections | Close all sections

23 |
24 |
25 |

- Tool Overview

26 |
27 |
28 |
Category
29 |
Information Collection
30 |
Description
31 |
Outputs account information on the Active Directory in LDIF format.
32 |
Example of Presumed Tool Use During an Attack
33 |
This tool is used to collect information on the Active Directory and select users and hosts that can be attack targets.
34 |
35 |
36 |

- Tool Operation Overview

37 |
38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 |
ItemDescription
OSWindows Server
Belonging to DomainNot required
RightsStandard user
Communication Protocol389/tcp
ServiceActive Directory Domain Services
68 |
69 |

- Information Acquired from Log

70 |
71 |
72 |
Standard Settings
73 |
    74 |
  • Host
      75 |
    • Execution history (Prefetch)
      • 76 |
    • 77 |
78 |
Additional Settings
79 |
    80 |
  • Host
      81 |
    • An LDIF file containing account information is created (audit policy, Sysmon, USN Journal)
      • 82 |
    • 83 |
84 |
85 |
86 |

- Evidence That Can Be Confirmed When Execution is Successful

87 |
88 | 91 |
92 |

- Main Information Recorded at Execution

93 |
94 |

- Domain Controller

95 |
96 |

Event log

97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 132 | 133 | 134 |
#LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    114 |
  • Image: Path to the executable file (path to the tool)
    • 115 |
  • UtcTime: Process execution date and time (UTC)
    • 116 |
  • ProcessGuid/ProcessId: Process ID
    • 117 |
  • CommandLine: Command line of the execution command (Path to the tool. The "-f" option identifies the output file name. In addition, if a filter was used, filter conditions can also be identified.)
    • 118 |
  • User: Execute as user
    • 119 |
2Security4663File SystemAn attempt was made to access an object.
    127 |
  • Access Request Information > Access: Requested privileges (WriteData or AddFile, AppendData)
    • 128 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 129 |
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
    • 130 |
  • Object > Object Name: Target file name (an LDIF file specified by the "-f" option at tool execution)
    • 131 |
135 |

USN journal

136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 |
#File NameProcess
1[LDIF file specified by the "-f" option at tool execution]FILE_CREATE
152 |
153 |
154 |
155 |

- Details: Domain Controller

156 |
157 |

- Event Log

158 |
159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 336 | 337 | 338 |
#Event LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    176 |
  • LogonGuid/LogonId: ID of the logon session
    • 177 |
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
    • 178 |
  • ParentImage: Executable file of the parent process
    • 179 |
  • Image: Path to the executable file (path to the tool)
    • 180 |
  • ParentCommandLine: Command line of the parent process
    • 181 |
  • UtcTime: Process execution date and time (UTC)
    • 182 |
  • ProcessGuid/ProcessId: Process ID
    • 183 |
  • User: Execute as user
    • 184 |
  • Hashes: Hash value of the executable file
    • 185 |
  • CommandLine: Command line of the execution command (Path to the tool. The "-f" option identifies the output file name. In addition, if a filter was used, filter conditions can also be identified.)
    • 186 |
Security4688Process CreateA new process has been created.
    194 |
  • Process Information > Required Label: Necessity of privilege escalation
    • 195 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 196 |
  • Process Information > Source Process Name: Path to parent process that created the new process
    • 197 |
  • Log Date and Time: Process execution date and time (local time)
    • 198 |
  • Process Information > New Process Name: Path to the executable file
    • 199 |
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
    • 200 |
  • Process Information > New Process ID: Process ID (hexadecimal)
    • 201 |
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
    • 202 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 203 |
2Security5158Filtering Platform ConnectionThe Windows Filtering Platform has permitted a bind to a local port.
    211 |
  • Network Information > Protocol: Protocol used (6=TCP)
    • 212 |
  • Network Information > Source Port: Bind local port (high port)
    • 213 |
  • Application Information > Process ID: Process ID
    • 214 |
  • Application Information > Application Name: Execution process (path to the tool)
    • 215 |
Security5156Filtering Platform ConnectionThe Windows Filtering Platform has allowed a connection.
    223 |
  • Network Information > Source Port: Source port number (389)
    • 224 |
  • Network Information > Protocol: Protocol used (6=TCP)
    • 225 |
  • Network Information > Direction: Communication direction (outbound)
    • 226 |
  • Application Information > Process ID: Process ID
    • 227 |
  • Application Information > Application Name: Execution process (path to the tool)
    • 228 |
3Security5156Filtering Platform ConnectionThe Windows Filtering Platform has allowed a connection.
    236 |
  • Network Information > Source Port: Source port number (389)
    • 237 |
  • Network Information > Protocol: Protocol used (6=TCP)
    • 238 |
  • Network Information > Direction: Communication direction (inbound)
    • 239 |
  • Application Information > Process ID: Process ID
    • 240 |
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
    • 241 |
Microsoft-Windows-Sysmon/Operational10Process accessed (rule: ProcessAccess)Process accessed.
    249 |
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
    • 250 |
  • TargetImage: Path to the access destination process (path to the tool)
    • 251 |
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
    • 252 |
  • SourceImage: Path to the access source process (C:\Windows\system32\lsass.exe)
    • 253 |
  • GrantedAccess: Details of the granted access (0x1478)
    • 254 |
4Security4656File System/Other Object Access EventsA handle to an object was requested.
    262 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 263 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
    • 264 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 265 |
  • Object > Object Name: Target file name (an LDIF file specified by the "-f" option at tool execution)
    • 266 |
  • Process Information > Process Name: Name of the process that closed the handle
    • 267 |
  • Object > Object Type: Type of the file (File)
    • 268 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 269 |
  • Object > Handle ID: ID of the relevant handle
    • 270 |
Security4663File SystemAn attempt was made to access an object.
    278 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 279 |
  • Audit Success: Success or failure (access successful)
    • 280 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 281 |
  • Object > Object Name: Target file name (an LDIF file specified by the "-f" option at tool execution)
    • 282 |
  • Access Request Information > Access: Requested privileges (WriteData or AddFile, AppendData)
    • 283 |
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
    • 284 |
  • Object > Object Type: Category of the target (File)
    • 285 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 286 |
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
    • 287 |
Security4658File SystemThe handle to an object was closed.
    295 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 296 |
  • Process Information > Process Name: Name of the process that requested the object (path to the tool)
    • 297 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 298 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 299 |
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
    • 300 |
Microsoft-Windows-Sysmon/Operational11File created (rule: FileCreate)File created.
    308 |
  • Image: Path to the executable file (path to the tool)
    • 309 |
  • ProcessGuid/ProcessId: Process ID
    • 310 |
  • TargetFilename: Created file (an LDIF file specified by the "-f" option at tool execution)
    • 311 |
  • CreationUtcTime: File creation date and time (UTC)
    • 312 |
5Security4689Process TerminationA process has exited.
    320 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 321 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 322 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 323 |
  • Process Information > Process Name: Path to the executable file (path to the tool)
    • 324 |
Microsoft-Windows-Sysmon/Operational5Process terminated (rule: ProcessTerminate)Process terminated.
    332 |
  • UtcTime: Process terminated date and time (UTC)
    • 333 |
  • ProcessGuid/ProcessId: Process ID
    • 334 |
  • Image: Path to the executable file (path to the tool)
    • 335 |
339 |
340 |

- USN Journal

341 |
342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 |
#File NameProcessAttribute
1[LDIF file specified by the "-f" option at tool execution]FILE_CREATEarchive
[LDIF file specified by the "-f" option at tool execution]DATA_EXTEND+FILE_CREATEarchive
[LDIF file specified by the "-f" option at tool execution]CLOSE+DATA_EXTEND+FILE_CREATEarchive
372 |
373 |

- MFT

374 |
375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 |
#PathHeader FlagValidity
1[LDIF file specified by the "-f" option at tool execution]FILEALLOCATED
393 |
394 |
395 |
396 |

- Remarks

397 |
398 | 402 |
403 | 404 | 405 | -------------------------------------------------------------------------------- /details/lslsass.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | lslsass 6 | 7 | 8 | 9 | 10 |

lslsass

11 |

- Table of Contents

12 |
13 | 21 |

Open all sections | Close all sections

22 |
23 |
24 |

- Tool Overview

25 |
26 |
27 |
Category
28 |
Password and Hash Dump
29 |
Description
30 |
Acquires a password hash of active logon sessions from the Isass process.
31 |
Example of Presumed Tool Use During an Attack
32 |
This tool is used to log on to a remote host using the acquired password hash value.
33 |
34 |
35 |

- Tool Operation Overview

36 |
37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 |
ItemDescription
OSWindows 7 32bit
Belonging to DomainNot required
RightsAdministrator
59 |
60 |

- Information Acquired from Log

61 |
62 |
63 |
Standard Settings
64 |
    65 |
  • Host
      66 |
    • Execution history (Prefetch)
      • 67 |
    • 68 |
69 |
Additional Settings
70 |
    71 |
  • Host
      72 |
    • Execution history (audit policy, Sysmon)
      • 73 |
    • Access history to lsass.exe (Sysmon)
      • 74 |
    • 75 |
76 |
77 |
78 |

- Evidence That Can Be Confirmed When Execution is Successful

79 |
80 | 83 |
84 |

- Main Information Recorded at Execution

85 |
86 |

- Host

87 |
88 |

Event log

89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 139 | 140 | 141 |
#LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    106 |
  • CommandLine: Command line of the execution command
    • 107 |
  • UtcTime: Process execution date and time (UTC)
    • 108 |
  • ProcessGuid/ProcessId: Process ID
    • 109 |
  • Image: Path to the executable file (executable file name of the tool)
    • 110 |
  • User: Execute as user
    • 111 |
2Security4689Process TerminationA process has exited.
    119 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 120 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 121 |
  • Process Information > Exit Status: Process return value ("0x0" if successful)
    • 122 |
  • Log Date and Time: Process terminated date and time (local time)
    • 123 |
  • Process Information > Process Name: Path to the executable file (executable file name of the tool)
    • 124 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 125 |
3Microsoft-Windows-Sysmon/Operational10Process accessed (rule: ProcessAccess)Process accessed.
    133 |
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
    • 134 |
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
    • 135 |
  • GrantedAccess: Details of the granted access (0x1438)
    • 136 |
  • SourceImage: Path to the access source process (executable file name of the tool)
    • 137 |
  • TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe)
    • 138 |
142 |

USN journal

143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 |
#File NameProcess
1[Executable File Name of Tool]-[RANDOM].pfCLOSE+DATA_EXTEND+FILE_CREATE
159 |

MFT

160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 |
#PathHeader FlagValidity
1[Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pfFILEALLOCATED
178 |

Prefetch

179 | 182 |
183 |
184 |
185 |

- Details: Host

186 |
187 |

- Event Log

188 |
189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 329 | 330 | 331 |
#Event LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    206 |
  • LogonGuid/LogonId: ID of the logon session
    • 207 |
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
    • 208 |
  • ParentImage: Executable file of the parent process
    • 209 |
  • CurrentDirectory: Work directory
    • 210 |
  • CommandLine: Command line of the execution command
    • 211 |
  • IntegrityLevel: Privilege level
    • 212 |
  • ParentCommandLine: Command line of the parent process
    • 213 |
  • UtcTime: Process execution date and time (UTC)
    • 214 |
  • ProcessGuid/ProcessId: Process ID
    • 215 |
  • User: Execute as user
    • 216 |
  • Hashes: Hash value of the executable file
    • 217 |
  • Image: Path to the executable file (executable file name of the tool)
    • 218 |
Security4688Process CreateA new process has been created.
    226 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 227 |
  • Log Date and Time: Process execution date and time (local time)
    • 228 |
  • Process Information > New Process Name: Path to the executable file (executable file name of the tool)
    • 229 |
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
    • 230 |
  • Process Information > New Process ID: Process ID (hexadecimal)
    • 231 |
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
    • 232 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 233 |
2Microsoft-Windows-Sysmon/Operational10Process accessed (rule: ProcessAccess)Process accessed.
    241 |
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
    • 242 |
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
    • 243 |
  • GrantedAccess: Details of the granted access (0x1438)
    • 244 |
  • SourceImage: Path to the access source process (executable file name of the tool)
    • 245 |
  • TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe)
    • 246 |
3Microsoft-Windows-Sysmon/Operational5Process terminated (rule: ProcessTerminate)Process terminated.
    254 |
  • UtcTime: Process terminated date and time (UTC)
    • 255 |
  • ProcessGuid/ProcessId: Process ID
    • 256 |
  • Image: Path to the executable file (executable file name of the tool)
    • 257 |
Security4689Process TerminationA process has exited.
    265 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 266 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 267 |
  • Process Information > Exit Status: Process return value ("0x0" if successful)
    • 268 |
  • Log Date and Time: Process terminated date and time (local time)
    • 269 |
  • Process Information > Process Name: Path to the executable file (executable file name of the tool)
    • 270 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 271 |
4Microsoft-Windows-Sysmon/Operational11File created (rule: FileCreate)File created.
    279 |
  • Image: Path to the executable file (executable file name of the tool)
    • 280 |
  • ProcessGuid/ProcessId: Process ID
    • 281 |
  • TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 282 |
  • CreationUtcTime: File creation date and time (UTC)
    • 283 |
Security4656File System/Other Object Access EventsA handle to an object was requested.
    291 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 292 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
    • 293 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 294 |
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 295 |
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
    • 296 |
  • Object > Object Type: Type of the file (File)
    • 297 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 298 |
  • Object > Handle ID: ID of the relevant handle
    • 299 |
Security4663File SystemAn attempt was made to access an object.
    307 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 308 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
    • 309 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 310 |
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 311 |
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
    • 312 |
  • Object > Object Type: Category of the target (File)
    • 313 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 314 |
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
    • 315 |
Security4658File SystemThe handle to an object was closed.
    323 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 324 |
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
    • 325 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 326 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 327 |
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
    • 328 |
332 |
333 |

- USN Journal

334 |
335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 |
#File NameProcessAttribute
1[Executable File Name of Tool]-[RANDOM].pfFILE_CREATEarchive+not_indexed
[Executable File Name of Tool]-[RANDOM].pfDATA_EXTEND+FILE_CREATEarchive+not_indexed
[Executable File Name of Tool]-[RANDOM].pfCLOSE+DATA_EXTEND+FILE_CREATEarchive+not_indexed
365 |
366 |

- MFT

367 |
368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 |
#PathHeader FlagValidity
1[Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pfFILEALLOCATED
386 |
387 |

- Prefetch

388 |
389 | 390 | 391 | 392 | 393 | 394 | 395 | 396 | 397 | 398 | 399 | 400 | 401 | 402 | 403 | 404 | 405 | 406 | 407 | 408 |
#Prefetch FileProcess NameProcess PathInformation That Can Be Confirmed
1C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pfExecutable file name of the tool\VOLUME{[GUID]}\[Path to the Tool]Last Run Time (last execution date and time)
409 |
410 |
411 | 412 | 413 | -------------------------------------------------------------------------------- /details/timestomp.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | timestomp 6 | 7 | 8 | 9 | 10 |

timestomp

11 |

- Table of Contents

12 |
13 | 21 |

Open all sections | Close all sections

22 |
23 |
24 |

- Tool Overview

25 |
26 |
27 |
Category
28 |
Deleting Evidence
29 |
Description
30 |
Changes the file timestamp.
31 |
Example of Presumed Tool Use During an Attack
32 |
By restoring the timestamp of a file which was changed as a result of the attacker's access, this tool is used to conceal the access to the file
33 |
34 |
35 |

- Tool Operation Overview

36 |
37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 |
ItemDescription
OSWindows
Belonging to DomainNot required
RightsAdministrator
59 |
60 |

- Information Acquired from Log

61 |
62 |
63 |
Standard Settings
64 |
    65 |
  • Host
      66 |
    • Execution history (Prefetch)
      • 67 |
    • 68 |
69 |
Additional Settings
70 |
    71 |
  • Host
      72 |
    • A record that the file creation date was changed (Sysmon)
      • 73 |
    • Execution history (audit policy, Sysmon)
      • 74 |
    • 75 |
76 |
77 |
78 |

- Evidence That Can Be Confirmed When Execution is Successful

79 |
80 | 83 |
84 |

- Main Information Recorded at Execution

85 |
86 |

- Host

87 |
88 |

Event log

89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 148 | 149 | 150 |
#LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    106 |
  • CommandLine: Command line of the execution command (the option contains changed timestamp items and the data after change)
    • 107 |
  • UtcTime: Process execution date and time (UTC)
    • 108 |
  • ProcessGuid/ProcessId: Process ID
    • 109 |
  • Image: Path to the executable file (executable file name of the tool)
    • 110 |
  • User: Execute as user
    • 111 |
2Security4663File SystemAn attempt was made to access an object.
    119 |
  • Audit Success: Success or fail (Access successful) (If success, the timestamp was changed successfully.)
    • 120 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteAttributes)
    • 121 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 122 |
  • Object > Handle ID: ID of the relevant handle (Handle ID requested in the Event ID: 4656 before)
    • 123 |
  • Object > Object Name: Target file name (file in which the timestamp was changed)
    • 124 |
3Security4656File System/Other Object Access EventsA handle to an object was requested.
    132 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (SYNCHRONIZE, ReadAttributes, WriteAttributes)
    • 133 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 134 |
  • Object > Object Name: Target file name (file in which the timestamp was changed)
    • 135 |
4Microsoft-Windows-Sysmon/Operational2File creation time changed (rule: FileCreateTime)File creation time changed.
    143 |
  • UtcTime: Date and time the change occurred (UTC)
    • 144 |
  • TargetFilename: Name of the file changed
    • 145 |
  • PreviousCreationUtcTime: Old timestamp (UTC)
    • 146 |
  • CreationUtcTime: New timestamp (UTC)
    • 147 |
151 |

USN journal

152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 |
#File NameProcess
1[File to be Changed]BASIC_INFO_CHANGE+CLOSE
2[Executable File Name of Tool]-[RANDOM].pfCLOSE+DATA_EXTEND+FILE_CREATE
173 |

Prefetch

174 | 177 |
178 |
179 |
180 |

- Details: Host

181 |
182 |

- Event Log

183 |
184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 349 | 350 | 351 |
#Event LogEvent IDTask CategoryEvent Details
1Microsoft-Windows-Sysmon/Operational1Process Create (rule: ProcessCreate)Process Create.
    201 |
  • LogonGuid/LogonId: ID of the logon session
    • 202 |
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
    • 203 |
  • ParentImage: Executable file of the parent process
    • 204 |
  • CommandLine: Command line of the execution command (the option contains changed timestamp items and the data after change)
    • 205 |
  • ParentCommandLine: Command line of the parent process
    • 206 |
  • UtcTime: Process execution date and time (UTC)
    • 207 |
  • ProcessGuid/ProcessId: Process ID
    • 208 |
  • User: Execute as user
    • 209 |
  • Hashes: Hash value of the executable file
    • 210 |
  • Image: Path to the executable file (executable file name of the tool)
    • 211 |
Security4688Process CreateA new process has been created.
    219 |
  • Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)
    • 220 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 221 |
  • Process Information > Source Process Name: Path to the parent process that created the new process. A record is confirmed on Windows 10 only.
    • 222 |
  • Log Date and Time: Process execution date and time (local time)
    • 223 |
  • Process Information > New Process Name: Path to the executable file (executable file name of the tool)
    • 224 |
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
    • 225 |
  • Process Information > New Process ID: Process ID (hexadecimal)
    • 226 |
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
    • 227 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 228 |
2Security4656File System/Other Object Access EventsA handle to an object was requested.
    236 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
    • 237 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 238 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 239 |
  • Object > Handle ID: ID of the relevant handle
    • 240 |
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 241 |
Security4663File SystemAn attempt was made to access an object.
    249 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
    • 250 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 251 |
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
    • 252 |
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
    • 253 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 254 |
  • Object > Handle ID: ID of the relevant handle (Handle ID requested in the Event ID: 4656 before)
    • 255 |
Security4658File SystemThe handle to an object was closed.
    263 |
  • Process Information > Process ID: Process ID (hexadecimal)
    • 264 |
  • Process Information > Process Name: Name of the process that requested the object
    • 265 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 266 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 267 |
  • Object > Handle ID: ID of the relevant handle
    • 268 |
3Microsoft-Windows-Sysmon/Operational2File creation time changed (rule: FileCreateTime)File creation time changed.
    276 |
  • UtcTime: Date and time the change occurred (UTC)
    • 277 |
  • TargetFilename: Name of the file changed
    • 278 |
  • PreviousCreationUtcTime: Old timestamp (UTC)
    • 279 |
  • CreationUtcTime: New timestamp (UTC)
    • 280 |
Microsoft-Windows-Sysmon/Operational9RawAccessRead detected (rule: RawAccessRead)RawAccessRead detected.
    288 |
  • Device: Name of the device that has the target file
    • 289 |
  • Image: Path to the executable file (executable file name of the tool)
    • 290 |
Security4656File System/Other Object Access EventsA handle to an object was requested.
    298 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (SYNCHRONIZE, ReadAttributes, WriteAttributes)
    • 299 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 300 |
  • Subject > Logon ID: Session ID of the user who executed the process
    • 301 |
  • Object > Handle ID: ID of the relevant handle
    • 302 |
  • Object > Object Name: Target file name (file in which the timestamp was changed)
    • 303 |
Security4663File SystemAn attempt was made to access an object.
    311 |
  • Audit Success: Success or fail (Access successful) (If success, the timestamp was changed successfully.)
    • 312 |
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteAttributes)
    • 313 |
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
    • 314 |
  • Object > Handle ID: ID of the relevant handle (Handle ID requested in the Event ID: 4656 before)
    • 315 |
  • Object > Object Name: Target file name (file in which the timestamp was changed)
    • 316 |
Security4658File SystemThe handle to an object was closed.
    324 |
  • Process Information > Process Name: Name of the process that requested the object (tool executable file name)
    • 325 |
  • Object > Handle ID: ID of the relevant handle (Handle ID requested in the Event ID: 4656 before)
    • 326 |
4Security4689Process TerminationA process has exited.
    334 |
  • Log Date and Time: Process terminated date and time (local time)
    • 335 |
  • Process Information > Exit Status: Process return value
    • 336 |
  • Process Information > Process Name: Path to the executable file (executable file name of the tool)
    • 337 |
Microsoft-Windows-Sysmon/Operational5Process terminated (rule: ProcessTerminate)Process terminated.
    345 |
  • UtcTime: Process terminated date and time (UTC)
    • 346 |
  • ProcessGuid/ProcessId: Process ID
    • 347 |
  • Image: Path to the executable file (executable file name of the tool)
    • 348 |
352 |
353 |

- USN Journal

354 |
355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 | 396 |
#File NameProcessAttribute
1[File to be Changed]BASIC_INFO_CHANGEarchive
[File to be Changed]BASIC_INFO_CHANGE+CLOSEarchive
2[Executable File Name of Tool]-[RANDOM].pfFILE_CREATEarchive+not_indexed
[Executable File Name of Tool]-[RANDOM].pfDATA_EXTEND+FILE_CREATEarchive+not_indexed
[Executable File Name of Tool]-[RANDOM].pfCLOSE+DATA_EXTEND+FILE_CREATEarchive+not_indexed
397 |
398 |

- MFT

399 |
400 | 401 | 402 | 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 411 | 412 | 413 | 414 | 415 | 416 | 417 | 418 | 419 | 420 | 421 | 422 | 423 |
#PathHeader FlagValidity
1[File to be Changed]FILEALLOCATED (Although the timestamp will change, other information will remain unchanged.)
2[Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pfFILEALLOCATED
424 |
425 |
426 | 427 | 428 | -------------------------------------------------------------------------------- /index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Tool Analysis Result Sheet 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 38 | 39 |
40 |
41 | 238 | 239 |
240 |
241 | 242 | 243 |
244 |
245 |
246 |
247 | 263 | 264 | 265 | 266 | -------------------------------------------------------------------------------- /overview.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | About this site 10 | 11 | 12 | 13 | 14 | 15 |

About this site

16 |

This site summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network. The following logs were examined. Note that it was confirmed that traces of tool execution is most likely to be left in event logs. Accordingly, examination of event logs is the main focus here. 17 |

18 | 29 |

A report that outlines and usage of this research is published below. When using Tool Analysis Result Sheet, we recommend you to check the report.

30 |

Detecting Lateral Movement through Tracking Event Logs (Version 2)

31 |
32 |

About Sheet Items

33 |

The analysis results for each tool are described in a table format. The content described for each item is explained as follows.

34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 |
ItemContent
Tool OverviewAn explanation of the tool and an example of presumed tool use during an attack are described.
Tool Operation OverviewPrivileges for using the tool, communication protocol, and related services are described.
Information Acquired from LogAn overview of logs acquired at tool execution with the default settings (standard settings) as well as when an audit policy is set or Sysmon is installed is described.
Evidence That Can Be Confirmed when Execution is SuccessfulThe method to confirm successful execution of the tool.
Main Information Recorded at ExecutionImportant information that can be used for the investigation of records in the targeted event logs, registry, USN Journal, MFT, and so on.
DetailsAll logs to be recorded, except ones included in "Details", are described.
RemarksAny logs that may be additionally recorded and items confirmed during verification are described.
72 |
73 |

Notes

74 |

Note that a sufficient amount of event logs cannot be acquired with the default Windows settings. In this research, logs that are recorded with the following settings were examined.

75 | 81 |

For instruction on how to enable the audit policy and install Sysmon, see the report.

82 |
83 | 88 | 89 | 90 | 91 | -------------------------------------------------------------------------------- /tool-list.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Tool List 10 | 11 | 12 | 13 | 14 | 15 |

Tool List

16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 |
CategoryToolDetals
Command ExecutionPsExecExecutes a command on a remote host.
wmicUsed for Windows system management.
schtasksExecutes a task at the specified time.
wmiexec.vbsUsed for Windows system management.
BeginXExecutes a command from a client to the server.
WinRMSteals information from a remote host.
WinRSExecutes a command on a remote host.
BITSSends and receives files in background.
Password and Hash DumpPWDump7Displays a list of password hashes in the host.
PWDumpXAcquires a password hash from a remote host.
Quarks PwDumpAcquires the password hashes of domain and local accounts as well as cached passwords.
Mimikatz
(Password and Hash Dump lsadump::sam)		Steals authentication information stored in the OS.
Mimikatz
(Password and Hash Dump sekurlsa::logonpasswords)		Steals authentication information stored in the OS.
Mimikatz
(Ticket Acquisition sekurlsa::tickets)		Acquires tickets for logged-on sessions.
WCEAcquires a password hash in the memory of a host.
gsecdumpSAM/Extracts a password hash from SAM/AD or logon sessions.
lslsassAcquires a password hash of active logon sessions from the Isass process.
AceHashAcquires the password hash value and logs on to the host.
Find-GPOPasswords.ps1Acquires passwords written in a group policy file.
Get-GPPPassword
(PowerSploit)		Acquires plaintext passwords and other account information written in the group policy.
Invoke-Mimikatz
(PowerSploit)		Loads Mimikatz into memory and starts it up.
Out-Minidump
(PowerSploit)		Dumps a process into memory.
PowerMemory
(RWMC Tool)		Acquires authentication information existing in files and memory.
WebBrowserPassViewExtracts user names and passwords saved in the web browser.
Malicious Communication RelayHtranBypasses communications.
Fake wpadAcquires and changes communication contents from the client by operating as the wpad server.
Remote LoginRDPConnects to a server on which Remote Desktop Service (RDS) is running.
Pass-the-hash
Pass-the-ticket		WCE (Remote Login)Executes a command from a remote host using the acquired password hash.
Mimikatz (Remote Login)Executes a command from a remote host using the acquired password hash.
Escalation to SYSTEM PrivilegeMS14-058 ExploitExecutes a specified executable file with SYSTEM privileges.
MS15-078 ExploitExecutes a specified executable file with SYSTEM privileges.
SDB UAC BypassUses Application Compatibility Database (SDB) to execute applications that are controlled by User Account Control (UAC) as a user with administrator privileges.
Capturing Domain Administrator Rights AccountMS14-068 ExploitChanges the privileges of the domain user to domain administrator privileges.
Golden Ticket
(Mimikatz)		Forges Kerberos authentication tickets and connects to a remote host.
Silver Ticket
(Mimikatz)		Forges Kerberos authentication tickets and connects to a remote host.
Information CollectionntdsutilUsed to maintain Active Directory databases.
vssadminCreates Volume Shadow Copy and extracts NTDS.DIT, registries, and other system files.
csvdeOutputs account information on the Active Directory in CSV format.
ldifdeOutputs account information on the Active Directory in LDIF format.
dsqueryAcquires information, such as users and groups, from the Active Directory.
dcdiagAnalyzes and examines the status of the Domain Controller.
nltestAcquires the Domain Controller used and its IP address.
nmapUsed for network investigation.
Adding or Deleting Local User and Groupnet userAdds a user account in a host or domain.
File Sharingnet useConnects to shared folders that are publicly available on the network.
Deleting EvidencesdeleteDeletes a file after overwriting it several times.
timestompChanges the file timestamp.
klist purgeDeletes saved Kerberos tickets.
wevtutilDeletes Windows event logs.
234 | 235 | 236 | 237 | --------------------------------------------------------------------------------