CNS 320 Week4 Lecture
CNS 320 Week4 Lecture
CNS 320 Week4 Lecture
Week 4 Lecture
Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Quiz 1
Missing slide from week 2 Malware Identification Using Memory Analysis Windows Event Logs Application Metadata Thumbnails
Normally hold file content data NTFS Files may have more than one Those after the 1st are referred to as Alternate Data Streams They have a short header before the file data, containing the streams identifier/name Feature added primarily for Mac support, and poorly supported until Win7 Used maliciously for data hiding
4
Overview
Suspicious host identified via anomalous network traffic, AV logs, or other security alerts Memory & disk images extracted from host
Memory images can be extracted directly using various tools
EnCase Enterprise or LiveResponse (commercial, via network) Moonsols Dumpit ManTech Mdd Mandiant Memoryze AcessData FTK Imager
Memory images can also be extracted from hibernation files or via firewire using tools such as Inception Offending process typically identified by searching for strings related to original alert Auditviewer also has heuristics to highlight certain suspicious behaviors or characteristics
Files relating to offending process extracted from disk image Static & dynamic analysis of malicious binaries done in VM using various tools, if necessary
6
10
11
12
13
14
Processes with possible injected DLLs displayed in red (several false positive mechanisms & doesnt catch all methods) Malware rating Index (MRI) Rules cause numeric ranking to be displayed
16
MRI Rules
17
18
Argument Verification
19
20
Suspicious Handles
Suspicious Imports
22
23
Searching
24
Search Results
25
Handles
Files, Folders, processes, Reg keys, Semaphores, Mutexes, Events, Memory Sections
Driver Information
27
Hooks
System Service Descriptor (SSD) Table Hooks Interrupt Descriptor Table Hooks Driver IRP Hooks
28
Similar functionality to Red Curtain also rolled into Auditviewer, but requires the application to be run on target host rather than on a memory image.
29
Known Good Hash Elimination (NSRL, FileAdvisor) Red Curtain Rule-Based Analysis Upload to VirusTotal.com Manually examine persistence mechanisms for suspicious patterns Search for suspicious file/folder names among binaries associated with running processes or scheduled jobs Manual examination of binaries associated with running processes or scheduled jobs
30
NT/2K/XP/2K3
Vista/7/2K8
.evtx files %systemroot%\System32\winevt\logs SecEvent.evtx, Appevent.evtx, Sysevent.evtx, many others Logs can be sent to a remote log collector
Event Log (.evt) File Header Structure (first 48 bytes of a valid Event Log file )
Offset Size 0 4 bytes 4 16 20 24 28 32 40 44 4 bytes 4 bytes 4 bytes 4 4 4 4 bytes bytes bytes bytes
4 bytes
Description Size of the record; for an .evt file header, the size is 0x30 (48) bytes. Event record sizes are 56 bytes Magic number (LfLe) Offset within the .evt file of the oldest event record Offset within the .evt file to the next event record to be written ID of the next event record ID of the oldest event record Maximum size of the .evt file (from the Registry) Retention time of event records (from the Registry) Size of the record (repeat of DWORD at offset 0)
Event Log (.evt) Record Header Structure (First 56 bytes of Event Record)
Offset 0 4 8 12 16 20
24 26 28 30 32 36 40 44 48 52
Description Length of the event record, or size of the record in bytes Reserved; magic number LfLe Record number Time generated; measured in UNIX time, or the number of seconds elapsed since 00:00:00 1 Jan 1970, in Universal Coordinated Time (UTC) Time written; measured in UNIX time, or the number of second elapsed since 00:00:00 1 Jan 1970, in UTC Event ID, which is specific to the event source and uniquely identifies the event; the event ID is used along with the source name to locate the appropriate description string within the message file for the event source Event type (0x01 = Error; 0x10 = Failure; 0x08 = Success; 0x04 = Information; 0x02 = Warning) Number of strings Event category Reserved flags Closing record number String offset; offset to the description strings within this event record Length of the user Security Identifier (SID); size of the user SID in bytes (if 0, no user SID is provided) Offset to the user SID within this event record Data length; length of the binary data associated with this event record Offset to the data
0x04 0x08
uint32
Length1 (whole record's size, from the magic string to the trailing length indicator) int64 NumLogRecord (record number, relative to the log channel. The log channel may consist of several log files which are consecutively written to) FILETIME TimeCreated char[] BinXmlStream (complex binary structure) uint32 Length2
null bytes)
NumLogRecord & TimeCreated values also included in BinXmlStream This is less useful because the various event strings are binary encoded and so wont be found in normal searching
demo
Event Log Explorer (commercial, but free for private use. 3.4 supports evtx) FixEvt Lsevt (Carvey) Available in the extras of Windows Forensic Analysis PsLogList (Sysinternals) Evtx_parser (Schuster) Grokevt (Linux only, but can parse events out of unallocated space)
Security (most useful for forensics, but dont ignore the others)
Access control & security settings Audit & group policy Services, system components, drivers, resources, etc. Software events unrelated to the OS Custom application logs
System
Application
Custom
Event Types
Account Logon Stored on system that authorized login Account Mgmt Changes to accounts Directory Service Attempted access of AD objects Logon Events Instances of logon/logoff for local system Object Access Access to objects specified in ACLs Policy Change Change to user rights, or audit or trust policies Privilege Use Instances of accounts exercising user rights Process Tracking Process start/end, handles, acess to objects System Events System start/shutdown, security log manipulation
Where theres a direct one-to-one mapping, new ID usually (but not always!) = Old ID + 4096 Some groups of old event IDs were collapsed to a single new event ID
528,540 (Successful Logon) -> 4624 529-537,539 (Login Failure) -> 4625 672 (auth ticket granted) -> 4768 (requested), 4772 (failed) 673 (service ticket granted) -> 4769 (requested), 4773 (failed)
Some old IDs were broken out into multiple new IDs
A significant number of new events and log files were added. Logging capabilities & defaults are generally somewhat better on Vista/7/2K8 than previously.
These settings are stored in the registrys Security hive, and can be extracted using regripper. Non-Domain Workstations have most settings disabled by default Non-Domain Servers arent much better Recommended baseline is to log Success/Failure for most categories, Failure for Privilege Use, and none for Process Tracking Windows 2K8 adds more categories of log Some events (672, 673) can be found on the authenticating domain controller for domain workstations
672/4768,4772 673/4769,4773 674/4770 675/4771 676/4768 677 678/4774 679/4775 680/4776 681/4776 4777
Authentication Ticket Granted Service Ticket Granted Ticket Granted Renewed Pre-authentication failed Authentication Ticket Request Failed Service Ticket Request Failed Account Mapped for Logon by The name: %2 could not be mapped for logon by: %1 - Account Used for Logon by - The logon to account: %2 by: %1 from workstation: %3 failed. - The domain controller failed to validate the credentials for an account
Data Fields:
Also logged when a computer authenticates to domain, such as on boot. These events have hostname$ for User Name.
User Name: %1 Supplied Realm Name: %2 User ID: %3 Service Name: %4 Service ID: %5 Ticket Options: %6 Result Code: (For an explanation of result/failure codes see the chart on event ID 675) Ticket Encryption Type: %8 Pre-Authentication Type: %9 Client Address: %10 (source from which user authenticated) Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13
Data Fields:
Service ID: %4 Ticket Options: %5 Ticket Encryption Type: %6 Client Address: %7 (IP from which user authenticated) Failure Code: %8 Logon GUID: %9 Transited Services: %10
528/4624 529/4625 530/4625 531/4625 532/4625 533/4625 534 /4625 type at this 535/4625 536/4625 537/4625 538/4634 539/4625 540/4624 551/4647 552/4648 576/4672 682/4778 683/4779 4646 4649 4650 4651 4652 4653 4654 4655
Successful Logon Logon Failure - Unknown user name or bad password Logon Failure - Account logon time restriction violation Logon Failure - Account currently disabled Logon Failure - The specified user account has expired Logon Failure - User not allowed to logon at this computer Logon Failure - The user has not been granted the requested logon machine Logon Failure - The specified account's password has expired Logon Failure - The NetLogon component is not active Logon failure - The logon attempt failed for other reasons. User Logoff Logon Failure - Account locked out Successful Network Logon User initiated logoff Logon attempt using explicit credentials Special privileges assigned to new logon Session reconnected to winstation Session disconnected from winstation IKE DoS-prevention mode started. A replay attack was detected An IPsec Main Mode security association was established An IPsec Main Mode security association was established An IPsec Main Mode negotiation failed An IPsec Main Mode negotiation failed An IPsec Quick Mode negotiation failed An IPsec Main Mode security association ended
4675 4800 4801 4802 4803 4964 4976 4977 4978 4979 4980 4981 4982 4983 4984 5451 5452 5453 5632 5633 6272 6273 6274 6275 6276 6277 6278 6279 6280
SIDs were filtered The workstation was locked The workstation was unlocked The screen saver was invoked The screen saver was dismissed Special groups have been assigned to a new logon During Main Mode negotiation, IPsec received an invalid negotiation packet. During Quick Mode negotiation, IPsec received an invalid negotiation packet. During Extended Mode negotiation, IPsec received an invalid negotiation packet. IPsec Main Mode and Extended Mode security associations were established. IPsec Main Mode and Extended Mode security associations were established IPsec Main Mode and Extended Mode security associations were established IPsec Main Mode and Extended Mode security associations were established An IPsec Extended Mode negotiation failed An IPsec Extended Mode negotiation failed An IPsec Quick Mode security association was established An IPsec Quick Mode security association ended An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started A request was made to authenticate to a wireless network A request was made to authenticate to a wired network Network Policy Server granted access to a user Network Policy Server denied access to a user Network Policy Server discarded the request for a user Network Policy Server discarded the accounting request for a user Network Policy Server quarantined a user Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy Network Policy Server granted full access to a user because the host met the defined health policy Network Policy Server locked the user account due to repeated failed authentication attempts Network Policy Server unlocked the user account
Logon Types
2 3 4 5 7 8 9 10 11
Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10. Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon - Never logged by 528 on W2k and forward. See event 540) Batch (i.e. scheduled task) Service (Service startup) Unlock (i.e. unnattended workstation with password protected screen saver) NetworkCleartext (Logon with credentials sent in clear text. Most often indicates a logon to IIS with "basic authentication") NewCredentials RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
1 0x1 Client's entry in database has expired 2 0x2 Server's entry in database has expired 3 0x3 Requested protocol version # not supported 4 0x4 Client's key encrypted in old master key 5 0x5 Server's key encrypted in old master key 6 0x6 Client not found in Kerberos database Bad user name, or new computer/user account has not replicated to DC yet (common) 7 0x7 Server not found in Kerberos database New computer account has not replicated yet or computer is pre-w2k (common) 8 0x8 Multiple principal entries in database 9 0x9 The client or server has a null key administrator should reset the password on the account 10 0xA Ticket not eligible for postdating 11 0xB Requested start time is later than end time 12 0xC KDC policy rejects request Workstation/logon time restriction (common) 13 0xD KDC cannot accommodate requested option 14 0xE KDC has no support for encryption type 15 0xF KDC has no support for checksum type 16 0x10 KDC has no support for padata type 17 0x11 KDC has no support for transited type 18 0x12 Clients credentials have been revoked Account disabled, expired, or locked out. (common) 19 0x13 Credentials for server have been revoked 20 0x14 TGT has been revoked 21 0x15 Client not yet valid - try again later 22 0x16 Server not yet valid - try again later 23 0x17 Password has expired The users password has expired. (common) 24 0x18 Pre-authentication information was invalid Usually means bad password (common) 25 0x19 Additional pre-authentication required*
31 32 33 33 34 35 36 37 38 39 40 41 42 44 45 46 47 48 49 50 60 61
0x1F Integrity check on decrypted field failed 0x20 Ticket expired Frequently logged by computer accounts 0x21 Ticket not yet valid 0x21 Ticket not yet valid 0x22 Request is a replay 0x23 The ticket isn't for us 0x24 Ticket and authenticator don't match 0x25 Clock skew too great Workstations clock too far out of sync with the DCs (common) 0x26 Incorrect net address IP address change? 0x27 Protocol version mismatch 0x28 Invalid msg type 0x29 Message stream modified 0x2A Message out of order 0x2C Specified version of key is not available 0x2D Service key not available 0x2E Mutual authentication failed may be a memory allocation failure 0x2F Incorrect message direction 0x30 Alternative authentication method required* 0x31 Incorrect sequence number in message 0x32 Inappropriate type of checksum in message 0x3C Generic error (description in e-text) 0x3D Field is too long for this implementation
Decimal Hex 3221225572 C0000064 3221225578 C000006A 3221226036 C0000234 3221225586 C0000072 3221225583 C000006F 3221225584 C0000070 3221225875 C0000193 3221225585 C0000071 3221226020 C0000224
3221226021 C0000225
Reason user name does not exist user name is correct but the password is wrong user is currently locked out account is currently disabled user tried to logon outside his day of week or time of day restrictions workstation restriction account expiration expired password user is required to change password at next logon evidently a bug in Windows and not a risk
516/4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits 517/1102 The audit log was cleared (specifies clearing user) 1100 The event logging service has shut down 1101 Audit events have been dropped by the transport. 1104 The security Log is now full 1105 Event log automatic backup 1108 The event logging service encountered an error
Example Scenario: Domain user logs in to workstation and maps network file share
Domain user (Kerberos authentication, Win2K3 server environment) logs in to workstation and maps a network file share to a file server Events Logged:
Workstation
File Server
service ticket granted (workstation) service ticket granted (domain controller) - Successful Network Logon User Logoff service ticket granted (file server)
7034 7035
Service Crashed Unexpectedly Service sent a Stop/Start control 7036 Service Started or Stopped 7040 Start Type Changed (boot/manual/disabled) 20001 - Plug and Play driver install attempted (Vista/Win7 only, contains unique device ID)
Installation Complete (success/fail) Application Deinstall complete (success/fail) Install Successful Install Failed Deinstall Successful
No log entry is created for failure to install due to lack of admin rights.
11000 Wireless Network Association Started 8001 Successful connection to wireless network 8002 Failed connection to wireless network
These events record the BSSID (Wireless MAC) of the associated AP, potentially enabling geolocation of the event.
%windir%\Setuplog.txt - records information during Windows setup %windir%\Setupact.log - actions that occurred during graphical portion of Windows setup process %windor%\Setupapi.log - device, service pack, and hotfix installations (including plug and play devices) %windir%\debug\Netsetup.log workgroup & domain membership changes %windir%\schedlgu.txt Task Scheduler Log (Unicode) %windir%\pfirewall.log Windows firewall log (doesnt exist by default) %windir%\debug\Mrt.log - Malicious Software Removal Tool install, update & scan results %windir%\logs\cbs\Cbs.log Vista/2K8 package manager %WinDir%\System32\LogFiles\* - IIS (note that these entries have text timestamps in GMT) C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwatson32.log program crashes (can sometimes flag exploitation)
Free from Mandiant Histogram view shows line length distribution within file. This can immediately pinpoint anomalies, as in IIS logs Allows graphical highlighting & hit counts of search results Allows lines matching specified patterns to be eliminated from vies Can parse timestamps and plot events on a timeline
Application Metadata
JPG images (example: iPhone Geolocation) MS Office Documents (doc, docx, xls, xlsx, etc.) PDF Documents Portable Executables (exe, sys, dll)
Some document formats support embedded files - these may in turn contain metadata Best generic & well-maintained tool for extraction is Phil Harveys exiftool
Title Subject Author Keywords Comments Template Last author Revision number Application name Last print date Creation date Last save time Total editing time Number of pages Number of words Number of characters
Security Category Format Manager Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes Number of hidden Slides Number of multimedia clips Hyperlink base Number of characters (with spaces)
Old Office versions (I believe 2K3 and previous) stored the last ten account names to update the document. These can be extracted the documents OLE metadata stream using Pinpoint Metaviewer. Also in early Word 97 and previous, the MAC address of the system used to create a document was stored.
Unzip the file Result will be a folder Examine the file docProps\app.xml under that extracted folder Metadata values will be encoded in XML
PDF Metadata
Author Copyright CreationDate Creator (application name) Keywords Marked (boolean value) ModDate PDFVersion Producer (application name) Subject Title Trapped
The official XMP specification defines only Keywords, PDFVersion, Producer and Trapped. The other tags are included because they have been observed in PDF files
Newer digital cameras & phones often geotag images with GPS coordinates Can also potentially identify the specific camera that took a picture Lots of data about specific camera settings at the time the picture was taken Can sometimes identify photo editing software used to alter the image Some images carry an internal thumbnail which can be extracted
Machine Type Time Stamp (compiled) PE Type Linker Version Code Size Initialized Data Size Uninitialized Data Size Entry Point OS Version Image Version Subsystem Version Subsystem (GUI/DOS/Native) File Version Number Product Version Number File Flags Mask
File Flags File OS Object File Type (app/dll) File Subtype Language Code Character Set Company Name File Description File Version Internal Name Legal Copyright Original Filename Product Name Product Version Product Date
Thumbnails
Mechanism for creating and storing thumbnail images of pictures & first pages of documents for use in folder previews
Pre-Vista: Thumbs.db
Populated in any folder which has been at one time set to show thumbnails of included images & documents Hidden file, not viewed by most users and not cleaned out when files are removed from the folder Uses OLE compound document format (similar to Office 2K3 and previous) to store:
thumbnail picture of original image or first page of document last modification time original filename
Thumbs.db Analysis
Binary format is a mess. Sector based, devised in the days of floppy disks. Free Tool: Mitec Windows File Analyzer Another one: Vinetto (open source python script also does Vista thumbcache) Format is also parsed directly by EnCase and FTK
Vista+: Thumbcache
Located in <profile>\AppData\Local\Microsoft\Windows\Explorer All created when a folder is switched to thumbnail mode or views pictures in a slideshow Even stores thumbnails for pictures/docs/media on removable media, network shares, or encrypted containers Numbered files store actual images, linking to files is done by idx file. Purpose of sr file not yet determined
Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large) Thumbcache_idx.db Thumbcache_sr.db
The remaining sections in Chapter 4 of the Carvey book Chapters 3 (Volume Shadow Copies) & 7 (Timeline Analysis) in the Carvey book I didnt assign chapter 6 for this week, but I probably should have. You might want to scan through that briefly
73
Questions?
74