Threat hunting with CrowdStrike – Valid Accounts

Posted byLukasz OlszewskiPosted ininfosec, Threat Hunting, ToolsTags:,

Techniques of interest: 

https://attack.mitre.org/techniques/T1078/
https://attack.mitre.org/techniques/T1021/
 |_ Remote Services: Remote Desktop Protocol
 |_ Remote Services: SMB/Windows Admin Shares  

Hypothesis: 

If a Threat Actor (TA) would successfully employ the above-mentioned sub-techniques of T1021 then in Windows Active Directory environment it should demonstrate itself by Windows logon events with types 3 and 10 being generated on target machines.  

If we were able to identify any single user account logging into multiple hosts in the domain, it could be an indicator of the above described activity. Deeper investigation of actions performed by such an account on target hosts as well as historical baseline comparison of its logon activities, could lead to uncovering of TA operations in an environment and hence prove the hypothesis true.  

https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter3

Test: 

Click here to learn how to do the same with MS Defender Advanced Hunt.

I’ll start by using the Event Search component of CrowdStrike. Sadly, I can’t link any documentation on it as there is nothing I could find that would be publicly available. Long story short, Event Search is basically Splunk search interface for the ‘raw’ data collected by Falcon sensors. This means that what works in SPL, if you’re familiar with it, will work here. You just need to get used to Falcon’s event types and field names. If there is one field to know first it’d be the event_simpleName one that is used to identify the category of a given event. 

As for our scenario I need to be looking at logon activities then I’ll be searching for event_simpleName=UserLogon events. 

Let’s have a look at the below query. 

event_simpleName=UserLogon (LogonType_decimal=3 OR LogonType_decimal=10) 
| stats count(UserName) as NumberLogons dc(aid) as HostsAccessed by UserName 
| where HostsAccessed >= 2 
| sort – NumberLogons

It will generate statistics about the number of logons performed by user accounts count(UserName) together with the number of distinct hosts dc(aid) these logons were performed on. This will be limited only to logon events of type 3 (Network) or 10 (RDP) that I’m interested in and it’ll only show data where there were more than 1 hosts accessed by the user where HostsAccessed >= 2

This should give results as visible below.  

Top numbers will obviously vary greatly depending on type of environment. There are opportunities to further filter the view for example by focusing only on client systems ProductType=1 that shouldn’t be commonly targets of remote logons. 

So having some top active accounts identified we’ll need to choose ones that we want to investigate further. First step would be to understand if such activity is common for the selected account or not. Since we’ll be searching through activity of one selected user we can afford to run the query for a longer period of time like 7 days. This will allow us to visualize numbers of such events through the days. 

As it can be observed in the example above the activity of this particular user looks like some automated task that’s been running in a pattern over all the days. In contrast the stats below are less predictable as we can see some peak in activity on Saturday. 

This is something that should catch threat hunter’s eye. 

So let’s dig in. We could stay in Event Search and review the raw events in Splunk interface but it’s a bit of a hideous task that I’m not a huge fan of. Instead I’m going to use the Investigate -> User Search component to look for the username of interest in the time window of the peak. The view here will give us a detailed summary of things like process executions, command lines, admin tools usage, file transfer activities etc. all in context of this user’s actions. Moving forward it’s all about good old digging through forensic information and deciding whether it’s something that warrants incident response team involvement or not. 

The user that caught my eye today was performing a change related to local group membership management on multiple hosts during the weekend ¯\_(ツ)_/¯

CrowdStrike Event Search results Splunk
event_simpleName=UserLogon (LogonType_decimal=3 OR LogonType_decimal=10)
| lookup aid_master aid OUTPUT Version ProductType
| search ProductType=1
| stats count(UserName) as NumberLogons dc(aid) as HostsAccessed by UserName
| where HostsAccessed >= 2
| sort – NumberLogons

Leave a comment