ELK Threat Hunting: Timestomping, Meterpreter, WMI & Credential Harvesting
Threat hunting exercise using ELK/Kibana to detect timestomping (T1099), Meterpreter process migration (T1055), WMI abuse (T1021), xp_cmdshell execution, browser credential harvesting (T1081), and RottenPotato privilege escalation (T1134).
General Approach
Before diving into each hunt, the following methodology was applied across all tasks:
- MITRE ATT&CK Research – Reviewed the relevant technique documentation and mapped expected log artifacts.
- OSINT – Gathered public detection guidance and indicators for each technique.
- Field Familiarization – Performed a general log review to identify available fields and naming conventions. Key fields used throughout:
@timestamp
timestamp
Event.created
winlog.event_data.UtcTime
winlog.event_data.OldTime
winlog.event_data.NewTime
winlog.event_data.CommandLine
winlog.event_data.ParentProcessName
winlog.event_data.ProcessId
The “Available Fields” panel in Kibana was used to confirm field names before building queries.
Task 1 – Timestomping MACE Attributes (T1099)
Timeline: 01/04/2019 – 15/05/2019
| Tactic | Defense Evasion |
| Technique | T1099 – Timestomping (Altering file timestamps / MACE attributes) |
| Investigation Focus | Time modification events, timestamp variances, registry entry modification |
Hunt Queries and Findings
Query 1 – Search for time-related deletion or modification events:
"*time*" AND ("*deleted*" OR "mod*" OR "change*")
Result at May 14, 2019 @ 22:35:34.020: Identified an unusual encoded PowerShell string that resulted in a timezone change on the host.
Query 2 – Search for timestamp deletion events:
"*timestamp" AND "*deleted*"
Result at May 14, 2019 @ 23:14:58.748: A registry object was deleted, indicating potential evidence tampering.
Query 3 – Search for direct MACE attribute manipulation:
"CreationTime" OR "LastAccessTime" OR "LastWriteTime"
Result at May 14, 2019 @ 22:42:12.958: With SYSTEM-level privileges, an attacker can directly modify CreationTime, LastAccessTime, and LastWriteTime attributes. An unusual registry value name and encoded PowerShell command were observed.
Query 4 – Search for registry timestamp key modifications:
"Registry value*" AND *Registry* AND winlog.event_data.TargetObject:"*Timestamp*"
Result: Found an unusual timestamp registry key modification performed by taskhostw.exe.
Query 5 – Pivot on the suspicious process:
winlog.event_data.ProcessId: 5360
Result: taskhostw.exe was found accessing certificate keys, CRLs, and CTLs – potential certificate-based evasion activity.
References
Task 2 – Meterpreter Migrate Command (T1055)
| Tactic | Defense Evasion / Privilege Escalation |
| Technique | T1055 – Process Injection (Meterpreter migrate to explorer.exe) |
| Investigation Focus | Process injection, process migration, Process Creation Event ID 4688 |
Hunt Queries and Findings
Query 1 – Search for explorer.exe spawning cmd with encoded commands:
winlog.event_data.ParentProcessName:*explorer.exe* AND event.code:4688 AND winlog.event_data.CommandLine:*cmd*
Result at May 18, 2019 @ 21:11:16.978: explorer.exe executed an encoded command that launched PowerShell with the flags -noP, -sta, -w 1 – a signature consistent with Meterpreter payloads.
Query 2 – Pivot on the spawned process:
winlog.event_data.ProcessId: 0xd14
Results at May 18, 2019 @ 21:11:16.981 -- 21:11:55.272: The parent process explorer.exe spawned an unusual child process. Further investigation revealed:
- Abnormal permission assignments
- Built-in Users group exploitation
- Unusual DLL loading behavior
- Port enumeration activity
- Internal network connections
These artifacts are consistent with a Meterpreter session that migrated into explorer.exe and then performed post-exploitation reconnaissance.
References
Task 3 – Process Creation through WMI (T1021)
Timeline: 01/04/2019 – 01/05/2019
| Tactic | Execution / Lateral Movement |
| Technique | T1021 – Process Creation through WMI |
| Investigation Focus | PowerShell scripts involving WMI, behavioral anomalies in wmiprvse.exe |
Hunt Queries and Findings
Query 1 – Search for WMI process creation events:
"*wmiprvse.exe*" AND "Create*"
Results at May 14, 2019 @ 22:32:37.706 -- 23:44:13.867: Extensive process creation activity by wmiprvse.exe, along with registry access that included permissions to delete, modify, and create sub-keys. The SeTakeOwnershipPrivilege was observed, indicating the process had the ability to take ownership of objects – a significant security risk.
Query 2 – Search for WMI spawning cmd.exe:
"*wmiprvse.exe*" AND "cmd.exe"
Results at Apr 30, 2019 @ 20:32:51.168 -- May 11, 2019 @ 17:58:50.090: Command output and errors were being redirected to a file on a local network share. This pattern indicates silent command logging or data capture through WMI-based execution.
Query 3 – Pivot on specific user and parent image:
winlog.event_data.User: IEWIN7\IEUser AND winlog.event_data.ParentImage: "C:\Windows\System32\wbem\WmiPrvSE.exe"
Result: No additional results were returned for this specific user-process combination.
References
Task 4 – MSSQL xp_cmdshell Execution
| Tactic | Execution / Initial Access |
| Technique | xp_cmdshell Execution via MSSQL |
| Investigation Focus | SQL-related process activity, command-line arguments referencing SQL |
Hunt Queries and Findings
Query 1 – Broad search for SQL-related activity:
winlog.event_data.CommandLine:*sql* OR winlog.event_data.ParentCommandLine:*sql* OR message:*sql*
Result at Nov 3, 2019 @ 13:51:58: A single relevant event was identified, pointing to SQL-related command execution.
Query 2 – Pivot on the SQL service host and account:
winlog.computer_name:MSEDGEWIN10 OR winlog.event_data.User:MSEDGEWIN10\sqlsvc
Result at Nov 4, 2019 @ 09:27:26.315: Conclusive evidence of xp_cmdshell execution was found. Additionally, various failed authentication attempts were observed, including attempts to authenticate as the root user – indicating either brute-force activity or misconfigured automated tools.
Task 5 – Harvesting Browser Saved Credentials (T1081 / T1555.003)
| Tactic | Credential Access |
| Technique | T1555.003 – Credentials from Web Browsers |
| Investigation Focus | File access to browser credential stores, suspicious process origins |
Hunt Queries and Findings
Query 1 – Search for access to Chrome credential stores:
"*AppData\Local\Google\Chrome\User Data\Default\Login Data*"
Result at Apr 27, 2019 @ 19:33:50.134: The parent process wsus.exe was found accessing Chrome’s stored credentials. Notably, the binary was running from a suspicious path:
C:\Users\Defau1t\wsus.exe
The misspelled username (Defau1t) and the masquerading process name (wsus.exe mimicking Windows Server Update Services) are strong indicators of malicious activity.
Query 2 – Pivot on the suspicious process:
winlog.event_data.ProcessName: "C:\Users\Defau1t\wsus.exe"
Results at Apr 27, 2019 @ 19:31:15.355 -- 19:33:50.134: The same process was also observed accessing credential directories for other browsers, confirming a broader credential harvesting operation.
References
Task 6 – Privilege Escalation through RottenPotato (T1134)
Timeline: 26/05/2019
| Tactic | Privilege Escalation |
| Technique | T1134 – Access Token Manipulation |
| Investigation Focus | Token impersonation of SYSTEM accounts, reverse methodology analysis |
RottenPotato exploits the way Windows handles token negotiation for COM objects. A service account can intercept and impersonate a SYSTEM-level token by forcing NTLM authentication through a local listener.
Hunt Queries and Findings
Query 1 – Search for SYSTEM-level loopback activity:
*SYSTEM* AND "127.0.0.1"
Results at May 26, 2019 @ 15:47:58.830 -- 15:48:00.732: Evidence of notepad.exe abuse was found, consistent with RottenPotato documentation where a benign process is used as a target for token impersonation.
Query 2 – Pivot on the notepad.exe process:
"*notepad.exe"
Result at May 26, 2019 @ 15:48:01.864: An unusual internal network connection was observed originating from notepad.exe. The connection used the TCP protocol under NT AUTHORITY\SYSTEM context, confirming successful privilege escalation from a service account to SYSTEM.
References
MITRE ATT&CK Mapping Summary
| Task | Tactic | Technique | ID |
|---|---|---|---|
| Timestomping | Defense Evasion | Timestomp | T1099 |
| Meterpreter Migrate | Defense Evasion / Privilege Escalation | Process Injection | T1055 |
| WMI Process Creation | Execution / Lateral Movement | Remote Services: WMI | T1021 |
| xp_cmdshell | Execution / Initial Access | Command and Scripting Interpreter | – |
| Browser Credential Harvesting | Credential Access | Credentials from Web Browsers | T1555.003 |
| RottenPotato | Privilege Escalation | Access Token Manipulation | T1134 |