ELK Lab 2 - LOLBAS, UAC Bypass, DCSync
ELK hunting lab covering rundll32 abuse, UAC bypass via cliconfg.exe and sdclt.exe, RDP tampering detection, DCSync, remote WMI usage, LOLBAS openurl techniques, and scheduled task persistence.
Task 1. Hunt for malicious use of rundll32
After visiting the LOLBAS project, we find that rundll32.exe can call pcwutl.dll which has the ability to execute an application. Query against Sysmon logs:
process.name:rundll32.exe AND (process.args:pcwutl.dll AND process.args:LaunchApplication)
Task 2. Hunt for UAC Bypass leveraging cliconfg.exe
The bypass is implemented through an abuse of “cliconfg.exe” loading “NTWDBLIB.dll”. Focus on Sysmon’s Event ID 7 (Image loaded):
event.id:7 AND (process.name:cliconfg.exe AND file.path:NTWDBLIB.dll)
- Type: Dll Hijack
- Method: WUSA
- Target: \system32\cliconfg.exe
- Component: ntwdblib.dll
- Works from: Windows 7 (7600)
- Fixed in: Windows 10 TH1 (10147) – WUSA /extract option removed
Task 3. Hunt for RDP Settings tampering
If RDP tampering or abuse (e.g., RDP tunneling) is to occur, RDP should first be enabled. Monitor if netsh is used to create a firewall rule allowing RDP. Focus on Sysmon event ID 1 (Process Creation):
event.id:1 AND (process.name:netsh.exe AND (process.args:localport=3389 AND process.args:action=allow))
Enabling RDP on its own is not necessarily malicious; additional effort is required to conclude that. Nonetheless, tampering has occurred.
Task 4. Hunt for DCSync
Using the Sigma DCSync detection rule as a reference, construct:
event.id:4662 AND NOT (user.name:*$ OR user.name:AUTHORITY OR user.name:Window) AND (object.properties:1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 OR object.properties:Replicating)
Task 5. Hunt for Remote WMI Usage
Remote usage of WMI creates Event ID 4648 (logon with explicit credentials) with source process of wmic.exe:
event.id:4648 AND process.executable:WMIC.exe
Expanding the entry reveals details on the account(s) associated with the login.
Task 6. Hunt for LOLBAS openurl
Rundll32.exe can call libraries capable of program execution. “ieframe.dll”, “shdocvw.dll”, and “url.dll” are of interest. Using Sysmon Event ID 1:
process.executable:rundll32.exe AND process.args:(url.dll OR ieframe.dll OR shdocvw.dll)
5 matches found:
- 1 match with ieframe.dll (opens a URL file from a temporary directory)
- 4 matches with url.dll (one executes an .hta file)
The .hta execution means mshta is called as the default handler. Confirm with:
process.executable:mshta.exe AND process.args:calc.hta
Task 7. Hunt for persistence through scheduled Tasks
Both “at.exe” and “schtasks.exe” can schedule tasks. Focus on Sysmon Event ID 1:
event.id:1 AND ((process.executable:schtasks.exe AND process.args:create) OR process.executable:at.exe)
An action executing “mshta.exe” against a remote URL is added. Verify the task was created:
event.id:11 AND file.path:MSOFFICE_
Verify the task was executed:
event.id:1 AND winlog.event_data.Image:"C:\Windows\system32\schtasks.exe" AND winlog.event_data.CommandLine:("run" AND "elevator")
Search for traces of task deletion:
event.id:1 AND winlog.event_data.Image:"C:\Windows\system32\schtasks.exe" AND winlog.event_data.CommandLine:("delete" AND "elevator")
Task 8. Hunt for UAC Bypass leveraging SDCLT.EXE
Monitor the registry key at “HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand”. Use Sysmon Event ID 13 (Registry event):
event.id:13 AND registry_key_path:"shell\\runas\\command\\isolatedCommand"
Upon successful elevation, notepad.exe will start in high integrity.