Logs, Logs, Logs - What you need to know to catch a thief
-
Upload
michael-gough -
Category
Technology
-
view
469 -
download
9
Transcript of Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, LogsWhat you need to know
to catch a thief
Jason Freddy
MalwareArchaeology.com
Who am I
• Blue Team Defender Ninja, Logoholic, Malware Archaeologist
• I love logs – they tell us Who, What, Where, When and hopefully How
• Author of the “Windows Logging Cheat Sheet”
• @HackerHurricane also my Blog
• Inventor of the Malware Management Framework
Why are logs important?
• Have you ever had an Incident and called a consultancy?
• What is one of the first, if not the first thing they do?
• It is referenced in every DBIR report
• LOGS!
• Details of what happened, where, how and by whom
Yes, Logs ARE SEXY!
• SEXY - because logs tell you what a particular malware did or the malwarian (aka Bad Actor) did on your system(s)
• SEXY – Because they are the one way that you can get the details you need to know what happened
• SEXY – Because this preso is going to show you how for Windows systems
• SEXY – Because if Target, Neiman Marcus, Michael’s, Home Depot… did this… I wouldn’t have a presentation
• NOT SEXY – Because most logs are not enabled or configured properly
• And because….
Malware and Logs
• I love malware and malware discovery
• But once I find an infected system, what happened before I found it?
• Was there more than one system involved?
• What did the Malwarian do?
• What behavior did the system or systems have after the initial infection?
• Logs are the perfect partner to malware! If you do it right you could have detected all this…
You’re Next97,000 76 Mil + 8 Mil
1000+ Businesses395 Stores
4.5 Million
25,000
4.9 Million
4.03 Million
105k trans
40 Million
40+70 Million
$148 Mil
33 locations
650k - 2010??????
76,000
670,000
1900 locations
145 Million
20,0003 Million
35,000
60,000 alerts
990,000
56 Mil
550,000
TBD
Citigroup, E*Trade Financial Corp., Regions Financial Crop, HSBC Holdings and ADP
??????
So why listen to me?
• I have been there• In the worst way• Found the malware quickly• Discovered it 10 months before the Kaspersky report• We needed to know more… Who, What, Where, When and
How• Found logs were not fully enabled or configured and
couldn’t get the data we needed• Once the Logs were enabled and configured, we saw all
kinds of cool stuff, showed the How that we ALL NEED• After CryptoLocker I created the definitive guide:
– “The Windows Logging Cheat Sheet”
Get this document!• www.MalwareArchaeology.com\logs
So what can you do with logs?
You could catch CryptoWall
You can catch Malwarians
So what can we do with logs?
• More than you would have ever guessed
• Not only detect Target, Neiman Marcus, Michael’s, Home Depot, Anthem, etc…
• But also government sponsored malware like Casper, Regin, Cleaver, Stuxnet, Duqu, Flamer, etc.
• Yes, even the really bad stuff, well good stuff to me ;-)
• IF… you know what to look for
• And why this talk… so you can learn WHAT to look for
Auditing
Audit the Registry
• Run Keys HKLM & HKCU
• Services Some keys are noisy – disable
• Use Malware Management to guide you
• Keys that are not noisy. You will know once you enable auditing and see tons of 4663 events
• Tune them to be quiet…
• Which means… Remove the normal
Audit Key Directories
• C:\Perflogs• C:\Users\xyx\AppData\Local• C:\Users\xyx\AppData\LocalLow• C:\Users\xyx\AppData\Roaming• C:\Program Files• C:\Program Files (x86)• C:\ProgramData• C:\Windows• C:\Windows\System• C:\Windows\System32• C:\Windows\System32\wbem• Every other Windows sub-dir that is small
Enable File Creation Auditing
• There are key locations that everyone should… MUST watch
• C:\Windows
• C:\System32
• ..\System32\WBEM
• Any dir with .EXE
• Just CREATED FILES
Audit Key Directories
File Auditing – New Files - 4663
New File detected
• New Files Created
• Bladelogic.exe
• Event ID:
– 4663
CC Data file created
• New Files Created
• Bladelogic.exe
• Event ID:
– 4663
Odd account used
• Logon – Odd user?
– Best1_user
• Event ID:
– 4624
The DETAILS
CMD.Exe executed
• New Process - Command Shell – YAY
• Event ID:
– 4688
CMD.Exe executed
• Knowing something suspicious executed is great
• BUT
• Knowing what was executed on the Command Line is VITAL to catching the thieves!!!
• VITAL !!!! #1 Goal for you in 2015
Get the Command Line!
• It’s nice to know cmd.exe executed, but we REALLY want to see what was executed. It would be better if we could see what was executed with svchost.exe!
• Again, Windows SUCKS by default, even Windows 8.1 and 2012 R2– I do think this is the K3wlest NEW Logging feature – Worth the upgrade!
• Now available for Win 7 and Server 2008 and later – Needs patch kb3004375
• Set GPO – Must have 2012 DC– Administrative Templates\System\Audit Process Creation– "Include command line in process creation events“– http://technet.microsoft.com/en-us/library/dn535776.aspx
• Registry Key– HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\– ProcessCreationIncludeCmdLine_Enabled DWORD - 1
Command Line GOLD
Catch them trying to share
Not just CMD.EXE but the hack details
Not just CMD.EXE but the hack details
Another example
So what did we learn from these?• You MUST enable Command Line logging• Monitor commands:
– Cmd.exe Command Shell– Netstat.exe Network Connections– Cscript Executes VB/C Script– Pushd Sets Directory for Popd– Popd Changes directory back– WMIC Execute WMI commands– Quser.exe Queries the current user– Reg.exe Query and edit the registry– SC.exe Start and Stop Services– Regini.exe Add/Edit registry values– Attrib.exe Change file attributes– Cacls.exe Change file permissions– Xcacls.exe Change file permissions– Takeown.exe Take ownership of a file– Auditpol.exe Sets Auditing settings (GPO too)– Netsh Windows Firewall
Translate this into Event Codes
• Process Create 4688
– Of course enable CMD Line logging
• File/Registry Auditing 4663
• Service Created 4075
• Service Changed 4070
• User Login Success 4624
• Share accessed 5140
The SEXY SIX
The Manual way - 4688• Look for Executables in \Users\AppData
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:50 /rd:true /f:text | find /i "\AppData\" | find /i "New Process Name"
Gives you this:
New Process Name: C:\Users\<username>\AppData\Local\malware.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\g2mvideoconference.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\g2mui.exeNew Process Name: C:\Users\<username>\ AppData\Local\Citrix\GoToMeeting\2185\g2mlauncher.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\g2mcomm.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\g2mstart.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\G2MInstaller.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\G2MInstaller.exe
Filter out Citrix…
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:50 /rd:true /f:text | find /i "\AppData\" | find /i "New Process Name" | find /I /v “\Citrix\GoTo”
Gives you…
New Process Name: C:\Users\<username>\AppData\Local\malware.exe
The Manual way - 4688Last 1000 records
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | find /i "New Process Name" | find /i"\AppData\“
New Process Name: C:\Users\<username>\AppData\Local\Temp\badstuff\malware.exeNew Process Name: C:\Users\<username>\AppData\Local\Temp\badstuff\malware.exeNew Process Name: C:\Users\<username>\AppData\Local\Temp\malware_users_Temp.exeNew Process Name: C:\Users\<username>\AppData\Local\NVIDIA\NvBackend\Packages\00007063\CoProc
update.19333411.exeNew Process Name: C:\Users\<username>\AppData\Roaming\Dropbox\bin\Dropbox.exeNew Process Name: C:\Users\<username>\AppData\Roaming\Dropbox\bin\update\Dropbox.exeNew Process Name: C:\Users\<username>\AppData\Roaming\Dropbox\bin\Dropbox.exeNew Process Name:
C:\Users\<username>\AppData\Local\Apps\2.0\R9P169LK.0LA\EA80CTLH.BZ3\dell..tion_0f612f649c4a10af_0005.000b_17ede8fa7a4e5cac\DellSystemDetect.exe
New Process Name: C:\Users\<username>\AppData\Local\Apple\Apple Software Update\SetupAdmin.exeNew Process Name: C:\Users\<username>\AppData\Local\Temp\i4jdel0.exeNew Process Name:
C:\Users\<username>\AppData\Local\Temp\e4j9473.tmp_dir1424306522\jre\bin\unpack200.exeNew Process Name:
C:\Users\<username>\AppData\Local\Temp\e4j9473.tmp_dir1424306522\jre\bin\unpack200.exe
The Manual way - 4688Last 1000 records
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | find /i "Command" | find /i ".exe" | find /i /v "\windows\" | find /i /v "Program files" | find /i /v "taskeng.exe" | find /i /v "taskhost.exe" | find /i /v "logonUI.exe" | find /i /v “consent.exe" | find /i /v "programdata" | find /i /v "nvidia\nvbackend\packages\" | find /i /v "\dropbox\" | find /i /v "/i"
Gives you…
Process Command Line: malware.exeProcess Command Line: malware.exe 25.233.45.123Process Command Line: malware_users_Temp.exe /u:hacker /p:yurfrackedProcess Command Line: wmiadap.exe /F /T /RProcess Command Line: rundll32.exe NVCPL.DLL,NvStartupRunOnFirstSessionUserAccountProcess Command Line: "C:\Users\MG\AppData\Local\Apps\2.0\R9P169LK.0LA\EA80CTLH.BZ3\
dell..tion_0f612f649c4a10af_0005.000b_17ede8fa7a4e5cac\DellSystemDetect.exe"Process Command Line: atbroker.exeProcess Command Line: C:\PROGRA~1\SUMOLO~1\wrapper.exe -s
C:\PROGRA~1\SUMOLO~1\c onfig\wrapper.confProcess Command Line: winlogon.exeProcess Command Line: "C:\Users\MG\AppData\Local\Apple\Apple Software Update\SetupAdmin.exe"
What looks bad?
Catch Dave’s SET
& MetaSploit too
Enable Powershell command line• It’s nice to know Powershell executed, but we REALLY want to see what was executed
• Again, Windows SUCKS by default, Powershell
• Details on setting PowerShell Preference variables– http://technet.microsoft.com/en-us/library/hh847796.aspx
• Set Execution Policy to allo .PS1 files to execute so default profile works– powershell Set-ExecutionPolicy RemoteSigned
• Create a Default Profile for all users:– C:\Windows\System32\WindowsPowershell\v1.0– Profile.ps1
• Add these to your default profile.ps1 file– $LogCommandHealthEvent = $true– $LogCommandLifecycleEvent = $true
• Splunk - Inputs.conf– # Windows platform specific input processor– [WinEventLog://Windows PowerShell]– disabled = 0
• Upgrade to ver 3 or ver 4• Investigating PowerShell Attacks (DefCon & Blackhat 2014)
– Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT– Matt Hastings CONSULTANT, MANDIANT
Enable Powershell command line
• And if a bypass is used?
• EventCode 4688 with command line to the rescue!
• This is a MUST to Alert on. If this occurs, you are being hacked!
Log everything!
• If it is Internet facing… LOG IT!• Hack yourself or use Pen Tests to improve your
logs – Catch them in the act!– Purple Testing
• You should catch SQL Injection– Failed Reads, Failed Writes
• Bruting of Apps – Get the logs to see this behavior #1 Software Development task
• Enable Auditing for NEW Files on Internet servers, you will be amazed how quiet this is
In Summary
• Malware is noisy• We CAN detect it• Logs can hold all types of information
– It’s NOT just for Forensics anymore
• All we have to do is:– Enable the Logs– Configure the Logs– Gather the Logs– Harvest the Logs
• Look for 6 SEXY Events• And use the “Windows Logging Cheat Sheet”
Resources
• Our Website
– MalwareArchaeology.com
• The Handout – Windows Logging Cheat Sheet
– www.MalwareArchaeology/logs
Questions?
• You can find me at:
• @HackerHurricane
• Yes – We do consulting ;-)