Event Logs? What Event Logs?

Transcript

1. EVENT LOGS? WHAT EVENT LOGS? SANS London April 2018 Matt

   Bromiley @mbromileyDFIR

2. WHAT EVENT LOGS? ▪ THE BASICS ▪ ATTACKER TECHNIQUES ▪

   Clear the Logs ▪ Resize the Logs ▪ Mimikatz ▪ Invoke-Phant0m ▪ WHY LATERAL MOVEMENT ▪ IDENTIFYING LATERAL MOVEMENT ▪ LOOKING AHEAD Matt Bromiley @mbromileyDFIR

3. THE BASICS WINDOWS XP / Server 2003 ▪ evt extension

   ▪ Three main logs: ▪ SecEvent ▪ AppEvent ▪ SysEvent ▪ Location: C:\Windows\System32\config WHAT EVENT LOGS? – PART 1 WINDOWS VISTA+ ▪ evtx extension ▪ Dozens/hundreds of logs ▪ Windows Logs ▪ Applications/Services ▪ Third-party apps ▪ Location: C:\Windows\System32\winevt\logs Matt Bromiley @mbromileyDFIR

4. THE BASICS WHAT EVENT LOGS? – PART 1 Matt Bromiley

   @mbromileyDFIR Sample Vista+ logs: Native Event Viewer

5. THE BASICS ▪ The Event Log Service WHAT EVENT LOGS?

   – PART 1 Matt Bromiley @mbromileyDFIR

6. THE BASICS WHAT EVENT LOGS? – PART 1 Matt Bromiley

   @mbromileyDFIR

7. THE BASICS WHAT EVENT LOGS? – PART 1 Matt Bromiley

   @mbromileyDFIR

8. THE BASICS WHAT EVENT LOGS? – PART 1 Matt Bromiley

   @mbromileyDFIR

9. THE BASICS WHAT EVENT LOGS? – PART 1 Matt Bromiley

   @mbromileyDFIR

10. ATTACKER TECHNIQUES What Event Logs? Matt Bromiley @mbromileyDFIR

11. ATTACKER TECHNIQUE #1 HOW IT WORKS ▪ Just clear them!

    ▪ With Administrator privileges, event logs can be cleared using the CLI and/or GUI WHAT EVENT LOGS? – PART 1

12. ATTACKER TECHNIQUE #1 HOW IT WORKS WHAT EVENT LOGS? –

    PART 1 ▪ Utilized by threat actors. ▪ One financially-motivated group clears event logs as part of their standard exit. ▪ Some groups will clear intermittently throughout the attacker lifecycle.

13. ATTACKER TECHNIQUE #1 DETECT/MITIGATE ▪ Forward logs to a SIEM

    ▪ This should standard in organizations ▪ Monitor for the “Audit Log was Cleared” event ▪ Security EID 1102 ▪ Utilize Volume Shadow Copies ▪ May give some, not all ▪ Recover event logs from systems ▪ Attackers will often clear one, not them all WHAT EVENT LOGS? – PART 1

14. ATTACKER TECHNIQUE #2 HOW IT WORKS ▪ Meddle with event

    logs and settings Option 1: Disable the event log service WHAT EVENT LOGS? – PART 1

15. ATTACKER TECHNIQUE #2 HOW IT WORKS ▪ Meddle with event

    logs and settings Option 2: ▪ Modify event log settings ▪ Event log settings are controlled via the Windows Registry HKLM\SYSTEM\CurrentControlSet\Services\EventLog WHAT EVENT LOGS? – PART 1

16. ATTACKER TECHNIQUE #2 HOW IT WORKS ▪ Tricky technique: Change

    the event log size! WHAT EVENT LOGS? – PART 1 Check out this awesome presentation: https://www.youtube.com/watch?v=00EwvDKaKyQ

17. ATTACKER TECHNIQUE #2 DETECT/MITIGATE ▪ With logs forwarded to a

    SIEM, look for gaps/stoppage in systems ▪ Rules can be written to detect uptime vs. last event time ▪ Monitoring at the system level? Look out for stopped services WHAT EVENT LOGS? – PART 1

18. ATTACKER TECHNIQUE #2 DETECT/MITIGATE ▪ Forensics? ▪ Check the registry

    or memory for evidence of eventlog service. Should always be running. WHAT EVENT LOGS? – PART 1

19. ATTACKER TECHNIQUES #3 ▪ Event log editing with Mimikatz WHAT

    EVENT LOGS? – PART 1

20. WHAT EVENT LOGS? – PART 1

21. WHAT EVENT LOGS? – PART 1

22. FOLLOW UP – MIMIKATZ EVENT LOG PATCHING WHAT EVENT LOGS?

    – PART 2 Matt Bromiley @mbromileyDFIR Pre-patch Post-patch

23. ATTACKER TECHNIQUE #4 HOW IT WORKS ▪ Thread disruption via

    Invoke-Phant0m WHAT EVENT LOGS? – PART 1 Source: https://artofpwn.com/phant0m-killing-windows-event-log.html

24. WHAT EVENT LOGS? – PART 1 Source: https://artofpwn.com/phant0m-killing-windows-event-log.html

25. ATTACKER TECHNIQUES #3 & #4 DETECT/MITIGATE ▪ How to track

    events without logs?! ▪ Look “around” the usage of these tools ▪ HOW were logs disrupted? ▪ Accounts ▪ Evidence of execution ▪ Timeframe of service disruption ▪ Removal of event logs is not an isolated event WHAT EVENT LOGS? – PART 1

26. ATTACKER TECHNIQUES #3 & #4 DETECT/MITIGATE ▪ Memory Forensics ▪

    Step 1: Identify the correct svchost.exe vol.py –f <image> <profile> dlllist | grep evtsvc WHAT EVENT LOGS? – PART 1

27. ATTACKER TECHNIQUES #3 & #4 DETECT/MITIGATE ▪ Memory Forensics ▪

    Step 2: Look for associated threads vol.py –f <image> <profile> threads –p <pid> WHAT EVENT LOGS? – PART 1

28. ATTACKER TECHNIQUE #5 HOW IT WORKS ▪ DanderSpritz - eventlogedit

    WHAT EVENT LOGS? – PART 1 https://blog.fox-it.com/2017/12/08/detection-and-recovery-of-nsas-covered-up-tracks/

29. ATTACKER TECHNIQUE #5 HOW IT WORKS ▪ DanderSpritz - eventlogedit

    WHAT EVENT LOGS? – PART 1 https://blog.fox-it.com/2017/12/08/detection-and-recovery-of-nsas-covered-up-tracks/

30. ATTACKER TECHNIQUES #5 DETECT/MITIGATE ▪ Recover unreferenced event log entries

    with danderspritz_evtx.py, published by Fox-IT WHAT EVENT LOGS? – PART 1 https://blog.fox-it.com/2017/12/08/detection-and-recovery-of-nsas-covered-up-tracks/ GitHub: https://github.com/fox-it/danderspritz-evtx

31. WHY LATERAL MOVEMENT What Event Logs? Matt Bromiley @mbromileyDFIR

32. WHY LATERAL MOVEMENT WHAT EVENT LOGS? – PART 2 Matt

    Bromiley @mbromileyDFIR ▪ More often than not, attackers don’t compromise THE system they want. ▪ Attackers need to move through the environment to: ▪ Find their target(s) ▪ Steal credentials ▪ Maintain persistence

33. WHY LATERAL MOVEMENT WHAT EVENT LOGS? – PART 2 Matt

    Bromiley @mbromileyDFIR 1. Initial Compromise 2. Find DC ASAP 3. Find a suitable pivot point (if DC doesn’t work) 4. Explore the various “environments” 5. Find card data 6. $$PROFIT$$

34. IDENTIFYING LATERAL MOVEMENT What Event Logs? Matt Bromiley @mbromileyDFIR

35. IDENTIFYING LATERAL MOVEMENT WHAT EVENT LOGS? – PART 2 Matt

    Bromiley @mbromileyDFIR ▪ Despite being the best source of evidence (of lateral movement), event logs are not the only source of evidence. ▪ Moving laterally “touches” many parts of the environment ▪ Think about a car driving in and out of a parking garage. Even if I throw away the parking receipt and destroy the camera tape, I can’t hide: ▪ Miles were added onto the car. ▪ Tires suffered more wear and tear. ▪ Car doors were opened and closed. ▪ At some point, I got out of my car. ▪ And then I got back in. Points in time and items I can trace.

36. P(A|S)EXEC

37. IDENTIFYING LATERAL MOVEMENT PSEXEC ▪ PsExec – part of the

    Windows Sysinternals tool suite ▪ “Light-weight telnet replacement”, but it’s so much more. ▪ Automatic file copy/execution ▪ Allows for execution of processes on other systems ▪ Executed against one system at a time (\\target) ▪ Executed against an entire list of systems (@serverlist.txt) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec WHAT EVENT LOGS? – PART 2

38. IDENTIFYING LATERAL MOVEMENT PAEXEC ▪ Power Admin Exec – a

    PsExec derivative that can be redistributed ▪ Many of the same features ▪ Open Source ▪ Experience with FIN7/Carbanak? Then you’ve likely seen this tool. https://github.com/poweradminllc/PAExec WHAT EVENT LOGS? – PART 2

39. IDENTIFYING LATERAL MOVEMENT PSEXEC WHAT EVENT LOGS? – PART 2

    PsExec.exe - Program Execution PSEXESVC.exe - System EID 7045 - Program Execution - Command artifacts

40. IDENTIFYING LATERAL MOVEMENT PAEXEC WHAT EVENT LOGS? – PART 2

    PaExec.exe - Program Execution PAEXEC-HOST-PID.EXE - System EID 7045 - Program Execution - Command artifacts

41. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC WHAT EVENT LOGS? – PART 2

    PSEXESVC.exe PAEXEC-HOST-PID.EXE NOT PATIENT 0

42. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC SHIM CACHE ARTIFACTS ▪ First place

    to look for lateral movement – evidence of execution ▪ Remember the Shim Cache! ▪ Evidence of the operating system checking for application compatibility ▪ We can use the ShimCache to find evidence of PSEXESVC execution, as well as what occurred around said execution WHAT EVENT LOGS? – PART 2 WTF? Recon? Malware?

43. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC PREFETCH ▪ First place to look

    for lateral movement – evidence of execution ▪ Remember the Prefetch! ▪ Operating system trace file ▪ Monitors DLL load to optimize future program execution ▪ Depending on operating system version, may provide run count, first/last execution, etc. ▪ If enabled, Prefetch files are in C:\Windows\Prefetch WHAT EVENT LOGS? – PART 2

44. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC PREFETCH ▪ First place to look

    for lateral movement – evidence of execution ▪ Remember the Prefetch! ▪ Operating system trace file ▪ Monitors DLL load to optimize future program execution ▪ Depending on operating system version, may provide run count, first/last execution, etc. ▪ If enabled, Prefetch files are in C:\Windows\Prefetch ▪ PAEXEC will drop files in the following format: PAEXEC-<SOURCE_SYSTEM>-<SOURCE_PID>.pf WHAT EVENT LOGS? – PART 2

45. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC MEMORY ▪ If you have a

    memory dump of a system you suspect was moved laterally to via PsExec, look for signs in memory strings ▪ Step 1: Look for PsExec processes ▪ vol.py –f <image_name> --profile=<profile> psscan | grep PSEXE ▪ Step 2: PsExec elsewhere? ▪ Run strings on memory ▪ Map strings with volatility (vol.py –f <image_name> -- profile=<profile> strings –s <strings_file> > mapped_strings ▪ Look for other processes WHAT EVENT LOGS? – PART 2

46. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC MEMORY ▪ Step 2: PsExec elsewhere?

    ▪ Run strings on memory ▪ vol.py –f <image_name> --profile=<profile> strings –s <strings_file> > mapped_strings ▪ grep –i psexe mapped_strings WHAT EVENT LOGS? – PART 2

47. OTHER MOVEMENT

48. IDENTIFYING LATERAL MOVEMENT FILE PATHS ▪ What user profiles are

    on the system? ▪ Look for unexpected/privileged/old/”decommissioned” accounts. WHAT EVENT LOGS? – PART 2 Any concerning accounts? Any concerning timeframes?

49. IDENTIFYING LATERAL MOVEMENT SHIM CACHE ▪ Go back to evidence

    of execution - ShimCache ▪ Where did my executables run from? ▪ Look for user-specific locations WHAT EVENT LOGS? – PART 2 Should these users be on this system?

50. IDENTIFYING LATERAL MOVEMENT PREFETCH ▪ Go back to evidence of

    execution ▪ Where did my executables run from? ▪ Look for user-specific locations WHAT EVENT LOGS? – PART 2 Should these users be on this system?

51. IDENTIFYING LATERAL MOVEMENT RDP - REGISTRY ▪ Where else have

    my users gone? ▪ Where did my compromised accounts go? ▪ HKCU\Software\Microsoft\Terminal Server Client WHAT EVENT LOGS? – PART 2

52. IDENTIFYING LATERAL MOVEMENT RDP – JUMP LISTS ▪ Where else

    have my users gone? ▪ Where did my compromised accounts go? ▪ C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\(Autom atic|Custom)Destinations WHAT EVENT LOGS? – PART 2

53. IDENTIFYING LATERAL MOVEMENT SCHEDULED TASKS ▪ Look for evidence of

    “at.exe” or “schtasks.exe” in your evidence of execution ▪ Both files create specific artifacts – XML task schema (v1.2) or .JOB (v1.0) files ▪ Check out C:\Windows\Tasks or C:\Windows\System32\Tasks ▪ Scheduled Tasks have their own event logs but…this is no EVTX land ▪ The use of scheduled tasks creates additional artifacts - these may be evidence of movement to or from the system at hand. WHAT EVENT LOGS? – PART 2

54. IDENTIFYING LATERAL MOVEMENT WMI/POWERSHELL WHAT EVENT LOGS? – PART 2

    WMI: wmic.exe PowerShell: powershellexe WMI: wmiprvse.exe PowerShell: wsmprovhost.exe

55. LOOKING AHEAD Matt Bromiley @mbromileyDFIR

56. LOOKING AHEAD WHAT EVENT LOGS? – PART 2 Matt Bromiley

    @mbromileyDFIR ▪ Despite being the best source of evidence (of lateral movement), event logs are not the only source of evidence. ▪ Moving laterally – or most attacker activity - “touches” many parts of the environment. ▪ Windows relies on accounts – accounts leave a lot of footsteps. ▪ Know the implications of your footsteps. ▪ If I see <foo>, that means <bar> ▪ If I see PSEXESVC.EXE, I am NOT looking at Patient 0.

57. LOOKING AHEAD WHAT EVENT LOGS? – PART 2 Matt Bromiley

    @mbromileyDFIR ▪ Know your environment ▪ The best answer is still log collection/forwarding and artifact preservation. ▪ Attackers cannot erase everything (and remain undetected). ▪ While event logs are not always necessary, they may be the final 10 pieces in a 1000 piece puzzle.

58. LOOKING AHEAD ▪ Upgrade your operating systems ▪ Make sure

    you’re taking advantage of all logging capabilities available ▪ Attackers may clear one or two, seldom clear them all ▪ Additional service logs will have longer retention periods, and contain relevant data ▪ Ship logs someplace else ▪ SIEMs or log ingestion tools allow for more than just collections ▪ Monitor for traffic ▪ Monitor for system anomalies (reporting yesterday, not today)

59. LOOKING AHEAD ▪ Good ole’ fashioned forensics ▪ What else

    happened “around” the timeframe? ▪ Users? ▪ Interactive sessions? ▪ Evidence of execution (AmCache, ShimCache, Prefetch, etc.) ▪ Third-party logs? ▪ Bust out the memory images ▪ The close you are to the breach, the more evidence you will find in memory. ▪ If close enough, potentially recover evidence of event log clearing. ▪ Get to the disk ▪ Can you find historical event log data?
60. None

61. THANK YOU!