Getting DNS Client Cached Entries with CIM/WMI

February 03, 2020 by Carlos Perez in PowerShell, Red Team, Blue Team, Hunting

What is DNS Cache

The DNS cache maintains a database of recent DNS resolution in memory. This allows for faster resolution of hosts that have been queried in the recent past. To keep this cache fresh and reduce the chance of stale records the time of items in the cache is of 1 day on Windows clients.

The DNS Client service in Windows is the one that manages the cache on a system, This time Window can be modified via the registry in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters where the MaxCacheTtl property controls the time in the cache in seconds and the MaxNegativeCacheTtl property controls the time a failed response is cached.

Why is it Important

For an attacker, it means primarily situational awareness. It allows him to know what other systems this host has accessed and the IP address of the host. This may allow identifying security platforms by the FQDNs used as well as business process systems, both internal or in the cloud. On an important note for the attacker is that if his implant/agent on the system does not include its own resolution capability it has an IOC present on the system that can be used to track its command and control infrastructure.

For a defender, the ability to know what hosts a system may have connected to in the last 24 hours. This will permit a defender to query across his environment for hosts that are communicating or have communicated with a specific host if DNS resolution was part of the process and if the attacker is not using its own resolution method. If the attacker is “Living off the Land” and using OS tools it will still leave the femoral trace on the system until the cached entry TTL (Time to Live) expires.

MSFT_DNSClientCache class

In Windows 8/2012 Microsoft added the MSFT_DNSClientCache class into the CIM object database in Windows. The class is under the new namespace that was also added to Root\StandardCimv2 and the resources are provided as part of the DnsClientCim.dll. This allows us to query for instances of the class and get all entries for the DNS Cache database.

Some Comments and Thoughts on Tradecraft

November 20, 2017 by Carlos Perez in Red Team, Blue Team, Hunting

I have been writing a series on the new Windows Defender Exploit Guard features on Attack Surface Reduction where I cover my research on it. I'm researching the controls to add the information in to my personal playbook. Surprisingly in conversations with some Red Teamers I know they dismissed the information as it is a Blue/Defense technology. These comments surprised me and I would like to share why it surprised me.

Let me start by saying that this is only an opinion. The steps and tradecraft for me would vary on level of skill of the defenders, scope, time and rule of engagements. This is blog post is only for me to share my though process and opinions on this area.

When it comes to attack and defense, red and blue, attack simulation. However, you want to call it in its essence it is an adversarial process, it is one team or person against another. Sometimes it can be a attacker against a defender or it can even be the attacker against a vendor research team that adds new features or modifies existing one. But it is one person trying to outwit another. So, if you are an attacker why are you not studying about defenses and mitigations?

What is the purpose of a red team or pentester? For me it is to show alternate ways of thinking and exercise the current controls in place to show areas of improvement to mitigate risks. To be able to do this knowledge on how systems works, how different lack of controls or misconfigured ones can have a negative impact for a given customer environment is of the upmost importance.

When it comes to the tradecraft one applies it will depend on the red team exercise you are conducting. If you are performing a simulation of a specific threat with blue your TTPs will be dictated by the threat intelligence you have on the adversary you are simulating to test the controls.

Knowledge of one’s tools, the opponent, his tools and how each implements them and uses them determines the actions. As Sun Tzu said:

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Sysinternals Sysmon 6.10 Tracking of Permanent WMI Events

October 18, 2017 by Carlos Perez in PowerShell, Blue Team, Hunting, Red Team

In my previous blog post I covered how Microsoft has enhanced WMI logging in the latest versions of their client and server operating systems. WMI Permanent event logging was also added in version 6.10 specific events for logging permanent event actions. The new events are:

Event ID 19: WmiEvent (WmiEventFilter activity detected). When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression.
Event ID 20: WmiEvent (WmiEventConsumer activity detected). This event logs the registration of WMI consumers, recording the consumer name, log, and destination.
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected). When a consumer binds to a filter, this event logs the consumer name and filter path

In version 6.10 it tracks the creation and deletion of __EventFilter Class, Any Consumer Type Class and __FilterToConsumerBinding Class.