Visualize Windows Events using Python3 & Neo4j

Hello everyone, my name is Hadze Fratiou Anastasios and I would like to welcome you to this virtual talk for B-Sides Athens conference. Today I am going to talk about Windows and Sysmon Event Visualization using a tool that I have developed and this is called Epinitheps. Below you can see a brief overview of my profile. I am a penetration tester at Deloitte since 2017. please feel free to connect with me on twitter you can also download my github repository and if you like blocking then use medium platform to read my posts i am the creator of log rm which is a post exploitation tool based on partial and the pms over which we will take a quick look today Last year I presented Drop the

Mic in B-Side Cyprus. Drop the Mic is a famous bug on the NTLM protocol. I am a huge fan of learning paths that could emerge during a personal research. Although it is a painful process, the knowledge that we could gain is colossal. Today I will talk about Windows and Sysmon events using Neo4j and Python. To achieve my goal, I am going to use a tool that I have developed, which is called the PimithEVS. Before reaching to the demonstration process and the syntax of my tool, I would give you an insight of what is happening on the backstage. I couldn't omit to mention the difficulties that emerged during the developing process. I am going to refer to some strengths of Neo4j that facilitated and

accelerated the developing process. Those strengths made me embrace Neo4j. At the end, I will utilize the PMI Thefts in order to import various samples of events. Then I will execute some queries based on Mitre ATT&CK signatures to get useful results. Not the last dance includes updates to my tools that are in the pipeline. Previously I brought up a tool called epimetheps. So what is epimetheps? Epimetheps is a Python 3 XML parser and Neo4j importer. Behind the scene, epimetheps is parsing the exported XML of Windows and Chisholm events and importing all the properties of an event into Neo4j. In addition, it connects portions of an event in order to create the relationships. Below you can see

how a cipher query looks like, and specifically this is a relationship between the events. The fundamental idea of Mitheps is not to substitute the implemented solutions. In that developed phase, you could leverage its capabilities in order to accelerate your insight over Windows and Sys1 events. For the people that are new to meter framework, the graphical representation of attacks could be very useful. The insight is a trait of purpose. The better knowledge of Windows security events we have, the deeper inspection we are able to perform. The benefits are depending on the team needs and the results that it wants to achieve. I couldn't omit the part of obstacles that emerged during the developing process. from the

code without function till the point of recreation of Neo4j queries. The problematic part of my code was the clumsy Python loops. I used many loops in places that I had to use only Neo4j queries. And lesson learned. Through this process I have discovered what makes Neo4j great.

Four of the main effective capabilities that work out in my case were the easy representation of data, the fast execution, the cipher query language and no complexity among nodes. Previously I pointed out the fast execution. Performance is a very important trait when we are talking about an importer and it was the main reason that I redid over and over every piece of my code. Finally, I managed to add 13,000 events and 26,000 relationships in 2 minutes using the capacity of a moderate laptop and the Pimithefs.

On the following slides I will focus on more practical examples that will give us a better insight of the benefits of pimi thefts in conjunction with Neo4j. Here we can see the correct syntax that needs to be provided to pimi thefts in order to import Windows events. In case that we want to import sysmon events then we must provide the s flag otherwise we will get false results. If we want to delete all the data from Neo4j then we should provide the D plug. When our events get into the database, 4 nodes and 3 relationship types will be created. This slide will help you if you want to understand the relationship between nodes and relationship types as well as how to create custom

queries. The same sample of events was used on this slide and on the subsequent one. However, on this slide, Windows Event Viewer was utilized in order to preview this. Here we can see how the same sample of events looks like in Neo4j and I think that the differences are really obvious. On this one, we can also observe the relationships between the events which is very important.

To accelerate the process of demonstration, I downloaded 15 Windows and Sysmon samples based on Mitre ATT&CK and I imported them automatically using a partial script which is triggering epimethepse. Here is a small demonstration. Epimethepse will do the work for us. Under the scene, epimethepse will merge the same nodes. For example, it would not create duplicate users or duplicate source hosts. Duplicate users are the targeted users that have the same source address or host. In this case, FpvThefts will merge the events under the existing targeted user. It is time to leverage cipher query language in order to unveil attacks that have occurred or to understand what traces the tools leave behind and learn how to detect them.

Since our data have been imported, it is time to ask our database and get useful information in graphical and text representation. I was always curious to understand what is happening when I dump the credentials from the lsas process. The first query will give us a graphical representation of sysmon event 10, process access. We were able to retrieve three events. which were created under the user context S1-5-18. We know that this SID belongs to the anti-system account. I will use another one query in order to read the values held by some of the event properties. It is clear that the LSAS process was accessed from three different tools: Procdam, Taskmgr.exe and Mimikatz.exe. Let's move to our

next query which has to do with PowerShell script logging. Someone disabled this functionality by editing the registry key "enable script block logging" and I will utilize two queries to unveil the attack. From the source host IE Win7, the user entry system modified the registry key "enable script logging". As a result, two Sysmon events, event 12 and event 13, that have to do with registry modifications, were merged. Let's see some useful information that events hold. Another interesting attack is PPID spoofing. Before moving further, I would like to highlight the theory of this attack. Ppid spoofing can be used from adversaries to evade the defense and sometimes it could be executed to launch a privilege escalation attack. The

adversary will modify the parent ppid of each process to point towards a different process in order to avoid detection. Let's try to uncover this attack. To uncover The PPID spoofing, I had to use the event node two times and subsequently connected this with an equation of target process ID of event 10 and process ID of event 1. As a result, I was able to connect parent and child processes. The child process, powershell.exe, was executed under anti-system user context which has a parent process called cmd.exe that is running under IEEE user and that is our alert. Some other interesting events are the events that occurred after leveraging the pass the hash authentication method. When this type

of logon happens one chain of two events occurs. We are going to examine the case where someone has a valid NTLM hash and is able to execute MIMI cuts in order to move laterally on the network. Let's see how HMI Thefts has connected those events and what information we are able to retrieve. The chain of events includes two events which are the event 4624 Successful Login and 4672 Special Privileges assigned to new logon. For pass_the_has, sec_log_go process will be the first thing that we put into our query. Additionally, the logon type should be equal to 9. After executing the query against the 210 relationships and 139 events, only one chain was displayed that included 5 relationships and

2 events. Let's visualize it.

The following query is going to retrieve the values from events properties and they have been added into the query after the return. You can see the table with the results and the assigned new privileges which are part of 4672 event. In order to create a chain between the events I also included In the query, the target logon ID of event 4624 and the subject logon ID of event 4672 which had the same value. Let's boil down what we showed till now during the demonstration process. Firstly, we were able to import multiple sample of events using a PMI-Thefts. Epimesefs parsed the XML files and created the appropriate nodes with their relationships. Later, we utilized custom queries that could leverage the connected

events in order to unveil some attacks based on Mitre framework. Upcoming extensions have been scheduled and lately I'm working over a C# agent which is going to collect the Windows and Sysmon events dynamically. Those queries that we discussed today will be added on my GitHub repository in case that you want to test them. My main goal is to construct a chain of multiple events that will show us the attack path. Please feel free to download the PMI-CEFS from my GitHub repository and read my posts on Medium about the PMI-CEFS. Below you will find many event samples that were a resource for me. Some of them have been used for my demonstration. I would like to

thank you for supporting and attending B-Sides Athens conference. I would like also to thank the facilitators and the speakers of B-Sides Athens. Although virtually this year because of the COVID outbreak, the time and the effort needed were big enough. Stay safe, stay healthy, see you next year. If you have any questions, I would be glad to answer them. Thank you very much.