One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs).
In particular, the X-Force IR team has identified several actions ransomware operators take that are common across almost all ransomware attacks — and are also relatively easy to detect through search queries and detection mechanisms identified by X-Force IR. This blog will review several opportunities security teams have to detect most ransomware adversaries within the default WELs. By leveraging the default WELs, many ransomware victims have the data they need to detect ransomware operators; they simply need to know where to look. That is where X-Force IR can help.
Because many ransomware affiliates interact, cross-pollinate and operate on behalf of different ransomware groups, we don’t attribute the following activities to any particular ransomware group; they are common across multiple ransomware groups. Sodinokibi/REvil, Avaddon and DarkSide ransomware groups shut down from May to July, but the affiliates that conducted attacks on behalf of these groups have shifted to new groups such as LockBit and emerging ransomware groups.
X-Force Threat Intelligence has tracked several malicious actors that have acted as affiliates of multiple groups. For example, ITG08 — also known as FIN6 — has probably acted as an affiliate for Ryuk, LockerGoga and MegaCortex attacks. In addition, ITG14, which shares campaign overlap with FIN7, has been an affiliate of Sodinokibi/REvil and was the overarching operator behind the DarkSide ransomware cartel.
Detection Opportunities in the WELs
The following event log entries have been present in the majority of ransomware incidents that X-Force IR has responded to and were all logged on systems with the default audit policy. While all these detections have been useful during X-Force IR engagements, there is always the possibility of false positives. Defenders should evaluate their datasets to identify possible false positives and tuning opportunities before adding to a production system.
System Log Event ID 7045
Without a doubt, Event ID 7045 is the most important event log entry to detect ransomware operators once they have gained access to a target network. In reviewing the 2020 ransomware incidents to which X-Force IR responded, evidence of adversary activity was identified within 7045 event log entries in over 90% of the ransomware incidents where adversaries moved laterally to at least one system.
For lateral movement, adversaries will leverage the Windows Service Control Manager (SCM) to create a new service where the target file is a custom command or executable that enables remote access to the target system.
Within Cobalt Strike, adversaries can leverage the jump command to spawn a beacon on a remote host through a new service.
Figure 1: Cobalt Strike’s default listing for Jump commands
Similar capabilities exist within the Metasploit Framework, which is another offensive security tool that X-Force IR has observed ransomware operators leveraging to carry out their attacks. Evidence of Metasploit’s SCM lateral movement tools can also be detected through 7045 event log entries.
In addition to offensive security frameworks, ransomware adversaries have been observed leveraging remote access tools like PsExec, TeamViewer and ScreenConnect to carry out their operations. Evidence of these tools can also be recovered from the 7045 event log entries.
Adversaries will leverage the SCM as a privilege escalation technique by configuring the new service to run as SYSTEM.
Event ID 7045 Detection:
| Activity | EID | Source | Detection |
| Lateral Movement / Priv Esc / Execution | 7045 | System.evtx | Service File Name contains ADMIN$ OR C$ OR IPC$ OR cmd /c OR powershell OR comspec OR screenconnect OR SystemDrive OR teamviewer OR psexesvc |
Table 1: Detections in Windows Event Log 7045 entries
Figure 2: Evidence of Cobalt Strike’s psexec_psh Jump command
Figure 3: Evidence of Cobalt Strike’s svc_exe elevate command
Figure 4: Evidence of ScreenConnect utility
Security Log Event 4624
X-Force IR has observed that ransomware operators continue to leverage a tunneled remote desktop protocol (RDP) connection to bypass network restrictions during data collection and exfiltration.
While various utilities can facilitate RDP tunneling, X-Force IR has observed that plink and ngrok are the two most common utilities used by ransomware operators. Plink (Putty link) is a command-line tool used to establish secure shell (SSH) connections to remote systems.
The following command has been used by ransomware operators to create an RDP tunnel via a batch script.
| plink.exe [email protected] -pw |
Table 2: Example plink command to enable RDP tunneling on a host
Ngrok is a utility designed specifically to enable remote access to systems behind firewalls. X-Force IR has observed adversaries masquerading ngrok as other utilities for RDP access to a target system in order to maintain persistence access to systems behind network address translation (NAT) or firewalls.
Figure 5: Ngrok entries masquerading as legitimate tools within Program Files to enable persistent remote access through tunneled RDP
Through analysis of evidence collected from incident response engagements and behavioral research performed by X-Force IR, researchers have determined that EID 4624 can be leveraged to detect a user accessing a system through a tunneled RDP connection.
Event ID 4624 Detection:
| Activity | EID | Source | Detection |
| Tunneled RDP | 4624 | Security.evtx | Logon Type 10 & Source Network Address equals 127.0.0.1 OR ::1 |
Table 3: Event ID 4624 keyword detections for RDP tunneling
Figure 6: Evidence of RDP tunneling
Figure 7: Evidence of RDP tunneling
Security Log Event 4662 (Domain Controllers Only)
Once access to an enterprise network is established, ransomware operators are constantly on the hunt for privileged access to the domain, typically by targeting members of the domain administrators group. Privileged domain access grants the adversary the ability to access more data and effectively deploy the ransomware in the final stage of the attack. However, in multiple cases, X-Force IR has observed ransomware operators targeting multiple domains within a forest for ransomware deployment. X-Force IR has observed multiple ransomware operators leveraging the DCSync command within Mimikatz to access the KRBTGT account, which is used to encrypt and sign Kerberos tickets within a domain. With access to the KRBTGT account, adversaries can gain privileged access to the forest root domain and subsequently gain privileged access to all domains in the forest.
DCSync was implemented in Mimikatz (authored by Benjamin Delpy and Vincent Le Toux) back in 2015, which allowed an adversary to masquerade as a domain controller and remotely retrieve password hashes from other domain controllers without executing any code on the target domain controller.
To be executed, the adversary must have access to a domain resource with domain replication privileges — specifically ‘replicating directory changes,’ ‘replicating directory changes all,’ or ‘replicating directory changes in filtered set.’ By default, domain controllers, domain administrators and enterprise administrators have these privileges granted.
On domain controllers, Event ID 4662 is logged when an operation is performed on an object within Active Directory, and this event is normal for when objects are changed or when domain controllers need to replicate changes to other domain controllers.
In the case of a DCSync command, the adversary leverages the DS-Replication-Get-changes-All extended right within the Domain-DNS class to request data to replicate to a user or system that is not a domain controller. When this action occurs, an Event ID 4662 is logged on the target domain controller, which can be used to detect adversary activity.
Event ID 4662 Detection:
| Activity | EID | Source | Detection |
| DCSync | 4662 (DCs only) | Security.evtx | Object Server = “DS” Properties contain “1131f6ad-9c07-11d1-f79f-00c04fc2dcd2” (DS-Replication-Get-Changes-All) and “19195a5b-6da0-11d0-afd3-00c04fd930c9” (Domain-DNS class WRITE_DAC) Account name does not end with “$” |
Table 4: Keyword DCSync detection in 4662 event log entries
Figure 8: Evidence of DCSync
It is worth noting that if the adversary executes DCSync as SYSTEM from another computer account, an Event ID 4662 containing the source computer account will not be available. To detect that behavior, defenders should audit the required permissions within Active Directory for unauthorized computer or user accounts.
| import-module activedirectory;$DefaultPrivs=”NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS”,”BUILTINAdministrators”,”$env:USERDOMAINEnterprise Read-only Domain Controllers”,”$env:USERDOMAINDomain Controllers”;$Privs=(Get-Acl “ad:dc=dwyer,dc=com”).Access | ? {($_.ObjectType -eq “1131f6aa-9c07-11d1-f79f-00c04fc2dcd2” -or $_.ObjectType -eq “1131f6ad-9c07-11d1-f79f-00c04fc2dcd2” -or $_.ObjectType -eq “89e95b76-444d-4c62-991a-0facbeda640c” )} | Select IdentityReference; foreach ($priv in$Privs){if($priv.IdentityReference -notin $DefaultPrivs){write-host $priv.IdentityReference}} |
Table 5: PowerShell Command to Audit DCSync privileges
PrintService Admin Log 808
X-Force IR has observed ransomware operators taking advantage of the remote code execution and local privilege escalation vulnerabilities within the Microsoft Print Spooler Service (a.k.a., PrintNightmare) to escalate privileges during ransomware attacks.
PrintNightmware exploits a design flaw where non-privileged users can add printer drivers to a Windows system. Attackers can exploit this vulnerability by installing a malicious printer driver, which will be executed as SYSTEM via the Print Spooler service, effectively granting the attacker SYSTEM-level permissions. Attackers targeting domain controllers are able to assume control of the entire domain through the PrintNightmare exploit.
Through observations of ransomware operator activities and continued research into the forensic evidence of the PrintNightmare exploit, X-Force IR has noted that Event ID 808 in the Print Service log is commonly present after successful exploit. Event ID 808 is logged when the Print Spooler has failed to load a plug-in module within a driver. In most cases, the referenced module is a malicious dynamic-link library (DLL) used by the attacker to execute arbitrary commands via the Print Spooler service.
Event ID 808 Detection:
| Activity | EID | Source | Detection |
| PrintNightmware | 808 | Microsoft-Windows-PrintService/Admin | Message contains .dll AND error code is 0x45A |
Table 7: PrintNightmare detection within 808 Event Log entries
Figure 9: Evidence of PrintNightmare
Honorable Mentions: Security Log Event ID 4648
Event ID 4648 is created when a process executes an account logon event by explicitly specifying user credentials. This event is commonly logged when a user leverages the runas command. In instances where runas is executed, the associated process name is svchost.exe. Additionally, an Event ID 4648 with a process name of consent.exe will be logged when user account control (UAC) is enabled and prompts for credentials prior to executing a program.
An interesting observation of the evidence collected during ransomware investigations is the fairly common presence of Event ID 4648 entries referencing AdFind within the process name. X-Force IR was only able to…