Description
This script monitors Windows Event Logs for the creation of any events containing credentials.
Overview
This script works by subscribing to a local or remote event log and reading the resulting stream of events. It then leverages regular expressions to find credentials such as username and password in those events.Those credentials are then exfiltrated as Artifacts over the C2 channel.
An example is 4688 process creation event logs that can be configured to store commandline arguments for all process execution events. The “Commandline” field can contain passwords when administrators use tools such as PsExec.exe, WMIC.exe, and net.exe. For example, the following command shows how schtasks.exe can be used with an explicit username and password:
schtasks.exe /CREATE /S 192.168.1.103 /RU SYSTEM /U [email protected] /P "1qaz!QAZ" /SC ONCE /ST 23:59 /TN Test /TR hostname /F
Arguments
- ComputerName: System to search through logs.
- Username: The username to authenticate with.
- Password: The password to authenticate with.
Modules
- EventLog
Pre-Requisites
- Administrator access
Employment Considerations
- Collecting events remotely may generate a lot of network traffic, especially if the remote system is a log aggregator.
- Exfiltration of captured credentials is not synchronized with the implant callback, so captured credentials may generate suspicious out-of-cycle connections from the Specter implant. This may be exacerbated by captured credentials running on a scheduled interval.
Example Output
Username : Administrator
Password : 1qaz!QAZ
EventTimestamp : 9/3/2024 12:23:47 PM
Commandline : C:\Windows\system32\net1 user Administrator 1qaz!QAZ /domainomain