Logs, Logs, LogsWhat you need to know

to catch a thief

Jason Freddy

MalwareArchaeology.com

Who am I

• Blue Team Defender Ninja, Logoholic, Malware Archaeologist

• I love logs – they tell us Who, What, Where, When and hopefully How

• Author of the “Windows Logging Cheat Sheet”

• @HackerHurricane also my Blog

• Inventor of the Malware Management Framework

Why are logs important?

• Have you ever had an Incident and called a consultancy?

• What is one of the first, if not the first thing they do?

• It is referenced in every DBIR report

• LOGS!

• Details of what happened, where, how and by whom

Yes, Logs ARE SEXY!

• SEXY - because logs tell you what a particular malware did or the malwarian (aka Bad Actor) did on your system(s)

• SEXY – Because they are the one way that you can get the details you need to know what happened

• SEXY – Because this preso is going to show you how for Windows systems

• SEXY – Because if Target, Neiman Marcus, Michael’s, Home Depot… did this… I wouldn’t have a presentation

• NOT SEXY – Because most logs are not enabled or configured properly

• And because….

Malware and Logs

• I love malware and malware discovery

• But once I find an infected system, what happened before I found it?

• Was there more than one system involved?

• What did the Malwarian do?

• What behavior did the system or systems have after the initial infection?

• Logs are the perfect partner to malware! If you do it right you could have detected all this…

You’re Next97,000 76 Mil + 8 Mil

1000+ Businesses395 Stores

4.5 Million

25,000

4.9 Million

4.03 Million

105k trans

40 Million

40+70 Million

$148 Mil

33 locations

650k - 2010??????

76,000

670,000

1900 locations

145 Million

20,0003 Million

35,000

60,000 alerts

990,000

56 Mil

550,000

TBD

Citigroup, E*Trade Financial Corp., Regions Financial Crop, HSBC Holdings and ADP

??????

So why listen to me?

• I have been there• In the worst way• Found the malware quickly• Discovered it 10 months before the Kaspersky report• We needed to know more… Who, What, Where, When and

How• Found logs were not fully enabled or configured and

couldn’t get the data we needed• Once the Logs were enabled and configured, we saw all

kinds of cool stuff, showed the How that we ALL NEED• After CryptoLocker I created the definitive guide:

– “The Windows Logging Cheat Sheet”

Get this document!• www.MalwareArchaeology.com\logs

So what can you do with logs?

You could catch CryptoWall

You can catch Malwarians

So what can we do with logs?

• More than you would have ever guessed

• Not only detect Target, Neiman Marcus, Michael’s, Home Depot, Anthem, etc…

• But also government sponsored malware like Casper, Regin, Cleaver, Stuxnet, Duqu, Flamer, etc.

• Yes, even the really bad stuff, well good stuff to me ;-)

• IF… you know what to look for

• And why this talk… so you can learn WHAT to look for

Auditing

Audit the Registry

• Run Keys HKLM & HKCU

• Services Some keys are noisy – disable

• Use Malware Management to guide you

• Keys that are not noisy. You will know once you enable auditing and see tons of 4663 events

• Tune them to be quiet…

• Which means… Remove the normal

Audit Key Directories

• C:\Perflogs• C:\Users\xyx\AppData\Local• C:\Users\xyx\AppData\LocalLow• C:\Users\xyx\AppData\Roaming• C:\Program Files• C:\Program Files (x86)• C:\ProgramData• C:\Windows• C:\Windows\System• C:\Windows\System32• C:\Windows\System32\wbem• Every other Windows sub-dir that is small

Enable File Creation Auditing

• There are key locations that everyone should… MUST watch

• C:\Windows

• C:\System32

• ..\System32\WBEM

• Any dir with .EXE

• Just CREATED FILES

Audit Key Directories

File Auditing – New Files - 4663

New File detected

• New Files Created

• Bladelogic.exe

• Event ID:

– 4663

CC Data file created

• New Files Created

• Bladelogic.exe

• Event ID:

– 4663

Odd account used

• Logon – Odd user?

– Best1_user

• Event ID:

– 4624

The DETAILS

CMD.Exe executed

• New Process - Command Shell – YAY

• Event ID:

– 4688

CMD.Exe executed

• Knowing something suspicious executed is great

• BUT

• Knowing what was executed on the Command Line is VITAL to catching the thieves!!!

• VITAL !!!! #1 Goal for you in 2015

Get the Command Line!

• It’s nice to know cmd.exe executed, but we REALLY want to see what was executed. It would be better if we could see what was executed with svchost.exe!

• Again, Windows SUCKS by default, even Windows 8.1 and 2012 R2– I do think this is the K3wlest NEW Logging feature – Worth the upgrade!

• Now available for Win 7 and Server 2008 and later – Needs patch kb3004375

• Set GPO – Must have 2012 DC– Administrative Templates\System\Audit Process Creation– "Include command line in process creation events“– http://technet.microsoft.com/en-us/library/dn535776.aspx

• Registry Key– HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\– ProcessCreationIncludeCmdLine_Enabled DWORD - 1

Command Line GOLD

Catch them trying to share

Not just CMD.EXE but the hack details

Not just CMD.EXE but the hack details

Another example

So what did we learn from these?• You MUST enable Command Line logging• Monitor commands:

– Cmd.exe Command Shell– Netstat.exe Network Connections– Cscript Executes VB/C Script– Pushd Sets Directory for Popd– Popd Changes directory back– WMIC Execute WMI commands– Quser.exe Queries the current user– Reg.exe Query and edit the registry– SC.exe Start and Stop Services– Regini.exe Add/Edit registry values– Attrib.exe Change file attributes– Cacls.exe Change file permissions– Xcacls.exe Change file permissions– Takeown.exe Take ownership of a file– Auditpol.exe Sets Auditing settings (GPO too)– Netsh Windows Firewall

Translate this into Event Codes

• Process Create 4688

– Of course enable CMD Line logging

• File/Registry Auditing 4663

• Service Created 4075

• Service Changed 4070

• User Login Success 4624

• Share accessed 5140

The SEXY SIX

The Manual way - 4688• Look for Executables in \Users\AppData

WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:50 /rd:true /f:text | find /i "\AppData\" | find /i "New Process Name"

Gives you this:

New Process Name: C:\Users\<username>\AppData\Local\malware.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\g2mvideoconference.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\g2mui.exeNew Process Name: C:\Users\<username>\ AppData\Local\Citrix\GoToMeeting\2185\g2mlauncher.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\g2mcomm.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\g2mstart.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\G2MInstaller.exeNew Process Name: C:\Users\<username>\AppData\Local\Citrix\GoToMeeting\2185\G2MInstaller.exe

Filter out Citrix…

WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:50 /rd:true /f:text | find /i "\AppData\" | find /i "New Process Name" | find /I /v “\Citrix\GoTo”

Gives you…

New Process Name: C:\Users\<username>\AppData\Local\malware.exe

The Manual way - 4688Last 1000 records

WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | find /i "New Process Name" | find /i"\AppData\“

New Process Name: C:\Users\<username>\AppData\Local\Temp\badstuff\malware.exeNew Process Name: C:\Users\<username>\AppData\Local\Temp\badstuff\malware.exeNew Process Name: C:\Users\<username>\AppData\Local\Temp\malware_users_Temp.exeNew Process Name: C:\Users\<username>\AppData\Local\NVIDIA\NvBackend\Packages\00007063\CoProc

update.19333411.exeNew Process Name: C:\Users\<username>\AppData\Roaming\Dropbox\bin\Dropbox.exeNew Process Name: C:\Users\<username>\AppData\Roaming\Dropbox\bin\update\Dropbox.exeNew Process Name: C:\Users\<username>\AppData\Roaming\Dropbox\bin\Dropbox.exeNew Process Name:

C:\Users\<username>\AppData\Local\Apps\2.0\R9P169LK.0LA\EA80CTLH.BZ3\dell..tion_0f612f649c4a10af_0005.000b_17ede8fa7a4e5cac\DellSystemDetect.exe

New Process Name: C:\Users\<username>\AppData\Local\Apple\Apple Software Update\SetupAdmin.exeNew Process Name: C:\Users\<username>\AppData\Local\Temp\i4jdel0.exeNew Process Name:

C:\Users\<username>\AppData\Local\Temp\e4j9473.tmp_dir1424306522\jre\bin\unpack200.exeNew Process Name:

C:\Users\<username>\AppData\Local\Temp\e4j9473.tmp_dir1424306522\jre\bin\unpack200.exe

The Manual way - 4688Last 1000 records

WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | find /i "Command" | find /i ".exe" | find /i /v "\windows\" | find /i /v "Program files" | find /i /v "taskeng.exe" | find /i /v "taskhost.exe" | find /i /v "logonUI.exe" | find /i /v “consent.exe" | find /i /v "programdata" | find /i /v "nvidia\nvbackend\packages\" | find /i /v "\dropbox\" | find /i /v "/i"

Gives you…

Process Command Line: malware.exeProcess Command Line: malware.exe 25.233.45.123Process Command Line: malware_users_Temp.exe /u:hacker /p:yurfrackedProcess Command Line: wmiadap.exe /F /T /RProcess Command Line: rundll32.exe NVCPL.DLL,NvStartupRunOnFirstSessionUserAccountProcess Command Line: "C:\Users\MG\AppData\Local\Apps\2.0\R9P169LK.0LA\EA80CTLH.BZ3\

dell..tion_0f612f649c4a10af_0005.000b_17ede8fa7a4e5cac\DellSystemDetect.exe"Process Command Line: atbroker.exeProcess Command Line: C:\PROGRA~1\SUMOLO~1\wrapper.exe -s

C:\PROGRA~1\SUMOLO~1\c onfig\wrapper.confProcess Command Line: winlogon.exeProcess Command Line: "C:\Users\MG\AppData\Local\Apple\Apple Software Update\SetupAdmin.exe"

What looks bad?

Catch Dave’s SET

& MetaSploit too

Enable Powershell command line• It’s nice to know Powershell executed, but we REALLY want to see what was executed

• Again, Windows SUCKS by default, Powershell

• Details on setting PowerShell Preference variables– http://technet.microsoft.com/en-us/library/hh847796.aspx

• Set Execution Policy to allo .PS1 files to execute so default profile works– powershell Set-ExecutionPolicy RemoteSigned

• Create a Default Profile for all users:– C:\Windows\System32\WindowsPowershell\v1.0– Profile.ps1

• Add these to your default profile.ps1 file– $LogCommandHealthEvent = $true– $LogCommandLifecycleEvent = $true

• Splunk - Inputs.conf– # Windows platform specific input processor– [WinEventLog://Windows PowerShell]– disabled = 0

• Upgrade to ver 3 or ver 4• Investigating PowerShell Attacks (DefCon & Blackhat 2014)

– Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT– Matt Hastings CONSULTANT, MANDIANT

Enable Powershell command line

• And if a bypass is used?

• EventCode 4688 with command line to the rescue!

• This is a MUST to Alert on. If this occurs, you are being hacked!

Log everything!

• If it is Internet facing… LOG IT!• Hack yourself or use Pen Tests to improve your

logs – Catch them in the act!– Purple Testing

• You should catch SQL Injection– Failed Reads, Failed Writes

• Bruting of Apps – Get the logs to see this behavior #1 Software Development task

• Enable Auditing for NEW Files on Internet servers, you will be amazed how quiet this is

In Summary

• Malware is noisy• We CAN detect it• Logs can hold all types of information

– It’s NOT just for Forensics anymore

• All we have to do is:– Enable the Logs– Configure the Logs– Gather the Logs– Harvest the Logs

• Look for 6 SEXY Events• And use the “Windows Logging Cheat Sheet”

Resources

• Our Website

– MalwareArchaeology.com

• The Handout – Windows Logging Cheat Sheet

– www.MalwareArchaeology/logs

Questions?

• You can find me at:

• @HackerHurricane

• Yes – We do consulting ;-)