Mining For Evil
Transcription
Mining For Evil
John McLeod & Mike Pilkington SANS DFIR Summit 2013 Disclaimer: The opinions expressed in this presentation are our own and may not reflect the opinions of our company. Work for a Fortune 500 company in the oil & gas industry Mike is also a SANS Instructor John is retired AFOSI Combined 30+ years of computer security experience Both hold various certifications and higher level degrees Oh…and Mike is a UT grad. 3 A bit about evil System Center Configuration Manager (SCCM) Windows Host logging Even though we have the “talking stick,” feel free to ask questions 4 Hide in plain sight Rename Windows files Cmd.exe, AcroRd32.exe, diskmgmt.exe, etc. Name files the same for years Ctfmon.exe Persistent mechanisms …\Start Menu\Programs\Startup known unknown known unknown known knowns known unknowns e.g. Known EVIL file is located in a known place e.g. Known EVIL file is located in an unknown place Unknown knowns Unknown unknowns e.g. An unknown file is located in e.g. An unknown EVIL file is an known place somewhere in your enterprise SQL knowledge Read-only, backend access to SCCM database Microsoft SQL Server Management Studio Although this presentation details SCCM, the concepts can be used on other similar platforms 7 System Center Configuration Manager (SCCM) Formerly Systems Management Server (SMS) Product by Microsoft for managing large groups of Windows-based computer systems Puts agent on host; sends data back Backend: MSSQL Feature of SCCM Designed to track the usage of applications Provides the identity which software applications (and executable files) are being used, and who is using them Software metering client agent must be enabled in order to find EVIL using SCCM Structured Query Language (SQL) Special-purpose programming language designed for managing data held in a relational database management system (RDBMS) The most common operation in SQL is the query, which is performed with the declarative SELECT statement More information http://www.w3schools.com/sql/ 10 Microsoft does not publish the schema, but… Creating Custom Reports By Using Configuration Manager 2007 SQL Views http://www.microsoft.com/en-us/download/details.aspx?id=22052 Configuration Manager 2007 SQL View Schema Microsoft Visio document (CM2007SQLViewsSchema.vsd): Provides the Configuration Manager 2007 SQL views schema, organized by category. Configuration Manager 2007 SQL Views Excel spreadsheet (CM2007SQLViews.xls): Provides a list of the Configuration Manager 2007 SQL views with descriptions, a list of the SQL views and columns ordered by SQL view name, and a list of the SQL views and columns ordered by column name. Asset Intelligence Client Deployment Client Health Collection Desired Configuration Discovery Hardware Inventory Mobile Device Mgt Network Access Protection Operating System Deployment Query Reporting Schema Site Security Software Distribution Software Inventory Software Metering Software Updates Status Wake On LAN AD Domain Name AD Site Name IP Address Netbios Name Hardware info User ID OS Service Pack Registered User Last Boot Time Logon Date Domain System Type Autostart Software SELECT LastUsedTime0, Name0, FolderPath0, ExplorerFileName0, OriginalFileName0, FileDescription0 FROM v_GS_SYSTEM INNER JOIN v_GS_CCM_RECENTLY_USED_APPS ON v_GS_SYSTEM.ResourceID = v_GS_CCM_RECENTLY_USED_APPS.ResourceID WHERE v_GS_CCM_RECENTLY_USED_APPS.TimeStamp > '2012-03-01 00:00:00.000' AND FolderPath0 LIKE 'c:\%' AND FileDescription0 LIKE 'Windows Command Processor' AND NOT ExplorerFileName0 LIKE 'cmd.exe‘ ORDER BY LastUsedTime0 LastUsedTime0 Name0 7/18/2012 7:11 TESTBOX5 5/28/12 20:03 TESTBOX3 3/30/12 0:39 TESTBOX1 3/2/12 5:19 TESTBOX4 FolderPath0 ExplorerFileName0 OriginalFileName0 FileDescription0 Windows Command C:\Intel\ ctfmon.exe cmd.exe Processor Windows Command C:\WINDOWS\system32\ sethc.exe cmd.exe Processor Windows Command C:\WINDOWS\system32\ sethc.exe cmd.exe Processor Windows Command C:\WINDOWS\system32\ sethc.exe cmd.exe Processor SELECT LastUsedTime0, Name0, FolderPath0, ExplorerFileName0, OriginalFileName0, FileDescription0 FROM v_GS_SYSTEM INNER JOIN v_GS_CCM_RECENTLY_USED_APPS ON v_GS_SYSTEM.ResourceID = v_GS_CCM_RECENTLY_USED_APPS.ResourceID WHERE v_GS_CCM_RECENTLY_USED_APPS.TimeStamp > '2012-03-01 00:00:00.000' AND FolderPath0 LIKE 'c:\%' AND NOT ExplorerFileName0 LIKE ‘%.exe‘ ORDER BY LastUsedTime0 LastUsedTime0 Name0 7/18/2012 7:11 TESTBOX6 FolderPath0 ExplorerFileName0 OriginalFileName0 FileDescription0 C:\Users\(userid)\ Bat.vbs NULL NULL C:\Users\(userid)\App 7/4/12 20:03 TESTBOX9 Data\Local\Temp\ System.gif testest.exe testtest 5/30/12 0:39 TESTBOX2 C:\WINDOWS\system32\ wqrtuiwl.dll NULL NULL C:\Users\(userid)\App Data\Roaming\Microsof t\Windows\Start FFmpeg video 4/2/12 5:19 TESTBOX4 Menu\Programs\ flvvideo.dll ffmpeg.exe converter SELECT LastUsedTime0, Name0, FolderPath0, ExplorerFileName0, OriginalFileName0, FileDescription0 FROM v_GS_SYSTEM INNER JOIN v_GS_CCM_RECENTLY_USED_APPS ON v_GS_SYSTEM.ResourceID = v_GS_CCM_RECENTLY_USED_APPS.ResourceID WHERE v_GS_CCM_RECENTLY_USED_APPS.TimeStamp > '2012-03-01 00:00:00.000' AND FolderPath0 LIKE 'c:\%' AND FolderPath0 LIKE '%Programs\Startup%' ORDER BY LastUsedTime0 LastUsedTime0 Name0 7/18/12 14:56 TESTBOX1 3/28/12 20:03 TESTBOX2 3/30/12 0:39 TESTBOX3 4/2/12 5:19 TESTBOX4 FolderPath0 ExplorerFileName0 OriginalFileName0 FileDescription0 C:\Documents and Settings\(userid)\Start Menu\Programs\Startup\ Update.exe NULL NULL C:\Users\(userid)\AppDa ta\Roaming\Microsoft\Wi ndows\Start Menu\Programs\ Update.exe Update.exe Document Updater C:\Documents and Settings\(userid)\Start AVG Basic Menu\Programs\Startup\ Ctfmon.exe NULL Interface C:\Users\(userid)\AppDa ta\Roaming\Microsoft\Wi ndows\Start FFmpeg video Menu\Programs\ flvvideo.dll ffmpeg.exe converter Once a host to investigate has been identified run an SCCM history for that host ▪ WHERE Name0 LIKE ‘hostname' The output may contain a group of commands showing evil activity LastUsedTime0 Name0 FolderPath0 7/18/2012 7:11 TESTBOX5 C:\Intel\ 7/18/2012 7:12 ExplorerFileName0 OriginalFileName0 FileDescription0 ctfmon.exe cmd.exe Windows Command Processor TESTBOX5 C:\WINNT\system32\ net.exe net.exe Net Command 7/18/2012 7:25 TESTBOX5 hil.exe NULL Installer 7/18/2012 7:27 TESTBOX5 C:\WINNT\system32\ ping.exe ping.exe TCP/IP Ping Command 7/18/2012 7:32 TESTBOX5 C:\WINNT\system32\ sc.exe sc.exe 7/18/2012 7:40 TESTBOX5 C:\WINNT\system32\ tasklist.exe tasklist.exe Task List find.exe Find String (grep) Utility 7/18/2012 7:40 C:\Intel\ TESTBOX5 C:\WINNT\system32\ find.exe 7/18/2012 7:41 TESTBOX5 C:\WINNT\system32\ netstat.exe netstat.exe TCP/IP Netstat Command 7/18/2012 7:41 TESTBOX5 C:\WINNT\system32\ taskkill.exe taskkill.exe Kill Process Lot’s of false positives until you know your environment NOT and wildcards are your friends Timestamps Last time used vs time received Do not consider software metering to be authoritative Attacker could send invalid information to SCCM Information is deleted periodically Only the most current data is in the database 25 Enabling & locating useful logs for IR SCCM Metering Logs Event Logs Others too, which we won’t have time to discuss… ▪ Windows Firewall Logs ▪ Commercial AV Logs ▪ MS Antimalware Logs ▪ Scheduled Tasks Logs Remote searching & collection using PowerShell 26 Provides a local archive of inventoried software Located in either: 32-bit: %systemroot%\system32\ccm\logs\mtrmgr.* 64-bit: %systemroot%\syswow64\ccm\logs\mtrmgr.* Example Entry: <![LOG[Process ID 9844 is for process C:\WINDOWS\system32\schtasks.exe]LOG]!><time="19:00:08.359+ 300" date="06-25-2013" component="mtrmgr" context="" type="1" thread="6988" file="processdata.cpp:141"> Often many deleted versions in unallocated Therefore, search/carve for entries with the signature “<![LOG[” 27 When configured appropriately, Event Logs can tell us a ton, such as: Software installed or uninstalled Processes run and by who, including parent process Services installed, started, and stopped User logons, including source IP and hostname if remote Users added and removed Groups modified Determining the current audit policy can be tricky Providing recommended auditing levels is tricky too, due to the impact heavy logging can have 28 Depending on how audit policy is configured, Local Security Policy (secpol.msc) could incorrectly indicate auditing disabled: 29 Despite the Local Security Policy settings , many logs are being created on the machine (184K over 4 months): Unfortunately you cannot trust the Local Security Policy or Group Policy reporting tools such as GPRESULT or RSOP. Explanation here: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-theeffective-audit-policy-in-windows-7-and-2008-r2.aspx Instead, use AUDITPOL… 30 Need to run “auditpol” to determine actual settings. For example: auditpol /get /category:* 31 It depends! Requires consideration and testing for your individual environment. A great new resource is Microsoft’s whitepaper titled “Best Practices for Securing Active Directory” Download from http://aka.ms/bpsad Developed by Microsoft’s Information Security and Risk Management (ISRM) organization Paper covers: ▪ ▪ ▪ ▪ Common attacks against Active Directory Countermeasures to reduce the attack surface Monitoring Active Directory for signs of compromise Offers recommendations for recovery My Overview of the Best Practices paper: ▪ SANS Forensics Blog: http://computer-forensics.sans.org/blog/2013/06/20/overview-of32 microsofts-best-practices-for-securing-active-directory Start with Microsoft’s strongest recommendations Setup test groups via Group Policy Weigh value of acquired logs to impact on performance Where necessary, tighten the audit policy to reduce performance impact Use Randy Franklin Smith’s site to supplement your analysis Identify event types that were not in your sample http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx 33 Site also gives pre-Vista ID # (and vice versia) 34 35 Many good commercial solutions: SEIMs such as ArcSight, Splunk, QRadar, etc. Good (Splunk-like) open source options too: ELSA—uses Sphinx for full-text indexing Logstash—uses ElasticSearch for full-text indexing ▪ Kibana is an alternative WebUI for Logstash Graylog2—ElasticSearch for full-text indexing & MongoDB for stats 36 Can’t always forward the logs For example, often hard to get logs off of end-user machines For IR, PowerShell may be useful for querying remote logs Specifically, use PowerShell “Remoting” Processing takes place on remote hosts – only results are returned 37 WinRM is designed to provide management communications services for any number of applications PowerShell “Remoting” being one of those Event Log Forwarding is another HTTP is default transport, yet still encrypted via Negotiate or Kerberos SSP Installed by default on Vista and higher. Available for XP and Server 2003 R2. 38 Processing occurs on remote machine Run commands interactively (ssh/telnet-like) via Enter-PsSession –ComputerName Run commands non-interactively, but still processed on remote machine, via InvokeCommand cmdlet: Invoke-Command –ComputerName <host1,host2,etc.> -command { <enter command here to run ON remote machine> } Allows concurrent parallel connections rather than sequential connections 39 Testing by Jason Hofferle, as discussed on his site: http://www.hofferle.com /powershell-remotingperformance/ His test gathered last 20 security event ID 4624 logs from each machine across US WAN links 40 Does not result in an interactive logon! Thus no exposure for passwords, hashes, or Kerberos tickets Does not create delegate-level impersonation token, allowing “double-hop” To allow delegation, must enable a specific feature (CredSSP) on both client & server – don’t do this! Network authentication via Kerberos Machines are mutually authenticated 41 By using Invoke-Command, all processing within –Command parameter’s {braces} occurs on remote machine Event Log Example: Find Security events after 5/31/2013 with message contents “ATTACK-ACCT”: Invoke-Command -ComputerName CompA,CompB -Command {Get-EventLog -LogName Security -After "Friday, May 31, 2013 12:00:00 AM" -Message *ATTACK-ACCT* } Log-file Example: Find SCCM Meter log entries with filename that includes “.jpg”; output to interactive table with sortable columns: Invoke-Command -ComputerName CompA,CompB -Command {Select-String –Path C:\Windows\syswow64\ccm\logs\mtrmgr*.log -Pattern “.jpg“ } | Out-GridView 42 The Big Con: Does not work with legacy (EVT) logs The Big Pro: Provides stronger filtering through XPath Query Language Example—Find Event ID 4624 logon from user MIKE between 6/1/13 and 6/25/13: Get-WinEvent -ComputerName CompA,CompB -FilterXml '<QueryList> <Query Id="0"> <Select Path="Security">*[System[(EventID=4624) and TimeCreated[@SystemTime >= "2013-0601T00:00:00.000Z" and @SystemTime <= "2013-0625T23:59:59.999Z"]]] and *[EventData[Data[@Name="SubjectUserName"] and (Data=“mike")]] </Select> </Query> </QueryList>' 43 Microsoft’s built-in Event Viewer can help build XPath queries: 44 Find event log files with 1 or more events Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} Run against offline event log files Get-WinEvent –Path <path to .evtx file(s)> Check for installed antimalware clients: Get-WmiObject antispywareproduct -namespace root\securitycenter2 45 Nice TechNet article on building XPath filters: http://blogs.technet.com/b/heyscriptingguy/archive/2 011/03/09/discover-how-to-filter-remote-event-logentries-in-windows-vista.aspx Secrets of PowerShell Remoting, a free book by Don Jones and Dr. Tobias Weltner: http://powershellbooks.com/ Learn Windows PowerShell 3 in a Month of Lunches, by Don Jones: http://www.amazon.com/Learn-Windows- PowerShell-Month-Lunches/dp/1617291080 46 Software Metering http://technet.microsoft.com/en- us/library/cc181604.aspx Overview of Software Metering http://technet.microsoft.com/en- us/library/bb694145.aspx 47 mcleodjp@gmail.com Contact info: John: mcleodjp@gmail.com Mike: mpilking@gmail.com @mikepilkington 48