Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Event Logs? What Event Logs?

Event Logs? What Event Logs?

Many analysts rely on Windows Event Logs to help gain context of attacker activity on a system, with log entries serving as the correlative glue between other artifacts. But what happens when attackers find ways to remove, or worse, stop logs find writing. We must adapt!

In this @Night, we'll examine techniques attackers use to subvert Windows Event logging. We'll discuss how defenders can detect these techniques, and catch attackers before they can cause too much harm. Lastly, we'll also look at steps your organization can take to preserve these important artifacts in the event your attacker(s) want to remove them from the environment.

bromiley

April 17, 2018
Tweet

More Decks by bromiley

Other Decks in Technology

Transcript

  1. WHAT EVENT LOGS? ▪ THE BASICS ▪ ATTACKER TECHNIQUES ▪

    Clear the Logs ▪ Resize the Logs ▪ Mimikatz ▪ Invoke-Phant0m ▪ WHY LATERAL MOVEMENT ▪ IDENTIFYING LATERAL MOVEMENT ▪ LOOKING AHEAD Matt Bromiley @mbromileyDFIR
  2. THE BASICS WINDOWS XP / Server 2003 ▪ evt extension

    ▪ Three main logs: ▪ SecEvent ▪ AppEvent ▪ SysEvent ▪ Location: C:\Windows\System32\config WHAT EVENT LOGS? – PART 1 WINDOWS VISTA+ ▪ evtx extension ▪ Dozens/hundreds of logs ▪ Windows Logs ▪ Applications/Services ▪ Third-party apps ▪ Location: C:\Windows\System32\winevt\logs Matt Bromiley @mbromileyDFIR
  3. THE BASICS WHAT EVENT LOGS? – PART 1 Matt Bromiley

    @mbromileyDFIR Sample Vista+ logs: Native Event Viewer
  4. THE BASICS ▪ The Event Log Service WHAT EVENT LOGS?

    – PART 1 Matt Bromiley @mbromileyDFIR
  5. ATTACKER TECHNIQUE #1 HOW IT WORKS ▪ Just clear them!

    ▪ With Administrator privileges, event logs can be cleared using the CLI and/or GUI WHAT EVENT LOGS? – PART 1
  6. ATTACKER TECHNIQUE #1 HOW IT WORKS WHAT EVENT LOGS? –

    PART 1 ▪ Utilized by threat actors. ▪ One financially-motivated group clears event logs as part of their standard exit. ▪ Some groups will clear intermittently throughout the attacker lifecycle.
  7. ATTACKER TECHNIQUE #1 DETECT/MITIGATE ▪ Forward logs to a SIEM

    ▪ This should standard in organizations ▪ Monitor for the “Audit Log was Cleared” event ▪ Security EID 1102 ▪ Utilize Volume Shadow Copies ▪ May give some, not all ▪ Recover event logs from systems ▪ Attackers will often clear one, not them all WHAT EVENT LOGS? – PART 1
  8. ATTACKER TECHNIQUE #2 HOW IT WORKS ▪ Meddle with event

    logs and settings Option 1: Disable the event log service WHAT EVENT LOGS? – PART 1
  9. ATTACKER TECHNIQUE #2 HOW IT WORKS ▪ Meddle with event

    logs and settings Option 2: ▪ Modify event log settings ▪ Event log settings are controlled via the Windows Registry HKLM\SYSTEM\CurrentControlSet\Services\EventLog WHAT EVENT LOGS? – PART 1
  10. ATTACKER TECHNIQUE #2 HOW IT WORKS ▪ Tricky technique: Change

    the event log size! WHAT EVENT LOGS? – PART 1 Check out this awesome presentation: https://www.youtube.com/watch?v=00EwvDKaKyQ
  11. ATTACKER TECHNIQUE #2 DETECT/MITIGATE ▪ With logs forwarded to a

    SIEM, look for gaps/stoppage in systems ▪ Rules can be written to detect uptime vs. last event time ▪ Monitoring at the system level? Look out for stopped services WHAT EVENT LOGS? – PART 1
  12. ATTACKER TECHNIQUE #2 DETECT/MITIGATE ▪ Forensics? ▪ Check the registry

    or memory for evidence of eventlog service. Should always be running. WHAT EVENT LOGS? – PART 1
  13. FOLLOW UP – MIMIKATZ EVENT LOG PATCHING WHAT EVENT LOGS?

    – PART 2 Matt Bromiley @mbromileyDFIR Pre-patch Post-patch
  14. ATTACKER TECHNIQUE #4 HOW IT WORKS ▪ Thread disruption via

    Invoke-Phant0m WHAT EVENT LOGS? – PART 1 Source: https://artofpwn.com/phant0m-killing-windows-event-log.html
  15. ATTACKER TECHNIQUES #3 & #4 DETECT/MITIGATE ▪ How to track

    events without logs?! ▪ Look “around” the usage of these tools ▪ HOW were logs disrupted? ▪ Accounts ▪ Evidence of execution ▪ Timeframe of service disruption ▪ Removal of event logs is not an isolated event WHAT EVENT LOGS? – PART 1
  16. ATTACKER TECHNIQUES #3 & #4 DETECT/MITIGATE ▪ Memory Forensics ▪

    Step 1: Identify the correct svchost.exe vol.py –f <image> <profile> dlllist | grep evtsvc WHAT EVENT LOGS? – PART 1
  17. ATTACKER TECHNIQUES #3 & #4 DETECT/MITIGATE ▪ Memory Forensics ▪

    Step 2: Look for associated threads vol.py –f <image> <profile> threads –p <pid> WHAT EVENT LOGS? – PART 1
  18. ATTACKER TECHNIQUE #5 HOW IT WORKS ▪ DanderSpritz - eventlogedit

    WHAT EVENT LOGS? – PART 1 https://blog.fox-it.com/2017/12/08/detection-and-recovery-of-nsas-covered-up-tracks/
  19. ATTACKER TECHNIQUE #5 HOW IT WORKS ▪ DanderSpritz - eventlogedit

    WHAT EVENT LOGS? – PART 1 https://blog.fox-it.com/2017/12/08/detection-and-recovery-of-nsas-covered-up-tracks/
  20. ATTACKER TECHNIQUES #5 DETECT/MITIGATE ▪ Recover unreferenced event log entries

    with danderspritz_evtx.py, published by Fox-IT WHAT EVENT LOGS? – PART 1 https://blog.fox-it.com/2017/12/08/detection-and-recovery-of-nsas-covered-up-tracks/ GitHub: https://github.com/fox-it/danderspritz-evtx
  21. WHY LATERAL MOVEMENT WHAT EVENT LOGS? – PART 2 Matt

    Bromiley @mbromileyDFIR ▪ More often than not, attackers don’t compromise THE system they want. ▪ Attackers need to move through the environment to: ▪ Find their target(s) ▪ Steal credentials ▪ Maintain persistence
  22. WHY LATERAL MOVEMENT WHAT EVENT LOGS? – PART 2 Matt

    Bromiley @mbromileyDFIR 1. Initial Compromise 2. Find DC ASAP 3. Find a suitable pivot point (if DC doesn’t work) 4. Explore the various “environments” 5. Find card data 6. $$PROFIT$$
  23. IDENTIFYING LATERAL MOVEMENT WHAT EVENT LOGS? – PART 2 Matt

    Bromiley @mbromileyDFIR ▪ Despite being the best source of evidence (of lateral movement), event logs are not the only source of evidence. ▪ Moving laterally “touches” many parts of the environment ▪ Think about a car driving in and out of a parking garage. Even if I throw away the parking receipt and destroy the camera tape, I can’t hide: ▪ Miles were added onto the car. ▪ Tires suffered more wear and tear. ▪ Car doors were opened and closed. ▪ At some point, I got out of my car. ▪ And then I got back in. Points in time and items I can trace.
  24. IDENTIFYING LATERAL MOVEMENT PSEXEC ▪ PsExec – part of the

    Windows Sysinternals tool suite ▪ “Light-weight telnet replacement”, but it’s so much more. ▪ Automatic file copy/execution ▪ Allows for execution of processes on other systems ▪ Executed against one system at a time (\\target) ▪ Executed against an entire list of systems (@serverlist.txt) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec WHAT EVENT LOGS? – PART 2
  25. IDENTIFYING LATERAL MOVEMENT PAEXEC ▪ Power Admin Exec – a

    PsExec derivative that can be redistributed ▪ Many of the same features ▪ Open Source ▪ Experience with FIN7/Carbanak? Then you’ve likely seen this tool. https://github.com/poweradminllc/PAExec WHAT EVENT LOGS? – PART 2
  26. IDENTIFYING LATERAL MOVEMENT PSEXEC WHAT EVENT LOGS? – PART 2

    PsExec.exe - Program Execution PSEXESVC.exe - System EID 7045 - Program Execution - Command artifacts
  27. IDENTIFYING LATERAL MOVEMENT PAEXEC WHAT EVENT LOGS? – PART 2

    PaExec.exe - Program Execution PAEXEC-HOST-PID.EXE - System EID 7045 - Program Execution - Command artifacts
  28. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC WHAT EVENT LOGS? – PART 2

    PSEXESVC.exe PAEXEC-HOST-PID.EXE NOT PATIENT 0
  29. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC SHIM CACHE ARTIFACTS ▪ First place

    to look for lateral movement – evidence of execution ▪ Remember the Shim Cache! ▪ Evidence of the operating system checking for application compatibility ▪ We can use the ShimCache to find evidence of PSEXESVC execution, as well as what occurred around said execution WHAT EVENT LOGS? – PART 2 WTF? Recon? Malware?
  30. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC PREFETCH ▪ First place to look

    for lateral movement – evidence of execution ▪ Remember the Prefetch! ▪ Operating system trace file ▪ Monitors DLL load to optimize future program execution ▪ Depending on operating system version, may provide run count, first/last execution, etc. ▪ If enabled, Prefetch files are in C:\Windows\Prefetch WHAT EVENT LOGS? – PART 2
  31. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC PREFETCH ▪ First place to look

    for lateral movement – evidence of execution ▪ Remember the Prefetch! ▪ Operating system trace file ▪ Monitors DLL load to optimize future program execution ▪ Depending on operating system version, may provide run count, first/last execution, etc. ▪ If enabled, Prefetch files are in C:\Windows\Prefetch ▪ PAEXEC will drop files in the following format: PAEXEC-<SOURCE_SYSTEM>-<SOURCE_PID>.pf WHAT EVENT LOGS? – PART 2
  32. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC MEMORY ▪ If you have a

    memory dump of a system you suspect was moved laterally to via PsExec, look for signs in memory strings ▪ Step 1: Look for PsExec processes ▪ vol.py –f <image_name> --profile=<profile> psscan | grep PSEXE ▪ Step 2: PsExec elsewhere? ▪ Run strings on memory ▪ Map strings with volatility (vol.py –f <image_name> -- profile=<profile> strings –s <strings_file> > mapped_strings ▪ Look for other processes WHAT EVENT LOGS? – PART 2
  33. IDENTIFYING LATERAL MOVEMENT P(A|S)EXEC MEMORY ▪ Step 2: PsExec elsewhere?

    ▪ Run strings on memory ▪ vol.py –f <image_name> --profile=<profile> strings –s <strings_file> > mapped_strings ▪ grep –i psexe mapped_strings WHAT EVENT LOGS? – PART 2
  34. IDENTIFYING LATERAL MOVEMENT FILE PATHS ▪ What user profiles are

    on the system? ▪ Look for unexpected/privileged/old/”decommissioned” accounts. WHAT EVENT LOGS? – PART 2 Any concerning accounts? Any concerning timeframes?
  35. IDENTIFYING LATERAL MOVEMENT SHIM CACHE ▪ Go back to evidence

    of execution - ShimCache ▪ Where did my executables run from? ▪ Look for user-specific locations WHAT EVENT LOGS? – PART 2 Should these users be on this system?
  36. IDENTIFYING LATERAL MOVEMENT PREFETCH ▪ Go back to evidence of

    execution ▪ Where did my executables run from? ▪ Look for user-specific locations WHAT EVENT LOGS? – PART 2 Should these users be on this system?
  37. IDENTIFYING LATERAL MOVEMENT RDP - REGISTRY ▪ Where else have

    my users gone? ▪ Where did my compromised accounts go? ▪ HKCU\Software\Microsoft\Terminal Server Client WHAT EVENT LOGS? – PART 2
  38. IDENTIFYING LATERAL MOVEMENT RDP – JUMP LISTS ▪ Where else

    have my users gone? ▪ Where did my compromised accounts go? ▪ C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\(Autom atic|Custom)Destinations WHAT EVENT LOGS? – PART 2
  39. IDENTIFYING LATERAL MOVEMENT SCHEDULED TASKS ▪ Look for evidence of

    “at.exe” or “schtasks.exe” in your evidence of execution ▪ Both files create specific artifacts – XML task schema (v1.2) or .JOB (v1.0) files ▪ Check out C:\Windows\Tasks or C:\Windows\System32\Tasks ▪ Scheduled Tasks have their own event logs but…this is no EVTX land ▪ The use of scheduled tasks creates additional artifacts - these may be evidence of movement to or from the system at hand. WHAT EVENT LOGS? – PART 2
  40. IDENTIFYING LATERAL MOVEMENT WMI/POWERSHELL WHAT EVENT LOGS? – PART 2

    WMI: wmic.exe PowerShell: powershellexe WMI: wmiprvse.exe PowerShell: wsmprovhost.exe
  41. LOOKING AHEAD WHAT EVENT LOGS? – PART 2 Matt Bromiley

    @mbromileyDFIR ▪ Despite being the best source of evidence (of lateral movement), event logs are not the only source of evidence. ▪ Moving laterally – or most attacker activity - “touches” many parts of the environment. ▪ Windows relies on accounts – accounts leave a lot of footsteps. ▪ Know the implications of your footsteps. ▪ If I see <foo>, that means <bar> ▪ If I see PSEXESVC.EXE, I am NOT looking at Patient 0.
  42. LOOKING AHEAD WHAT EVENT LOGS? – PART 2 Matt Bromiley

    @mbromileyDFIR ▪ Know your environment ▪ The best answer is still log collection/forwarding and artifact preservation. ▪ Attackers cannot erase everything (and remain undetected). ▪ While event logs are not always necessary, they may be the final 10 pieces in a 1000 piece puzzle.
  43. LOOKING AHEAD ▪ Upgrade your operating systems ▪ Make sure

    you’re taking advantage of all logging capabilities available ▪ Attackers may clear one or two, seldom clear them all ▪ Additional service logs will have longer retention periods, and contain relevant data ▪ Ship logs someplace else ▪ SIEMs or log ingestion tools allow for more than just collections ▪ Monitor for traffic ▪ Monitor for system anomalies (reporting yesterday, not today)
  44. LOOKING AHEAD ▪ Good ole’ fashioned forensics ▪ What else

    happened “around” the timeframe? ▪ Users? ▪ Interactive sessions? ▪ Evidence of execution (AmCache, ShimCache, Prefetch, etc.) ▪ Third-party logs? ▪ Bust out the memory images ▪ The close you are to the breach, the more evidence you will find in memory. ▪ If close enough, potentially recover evidence of event log clearing. ▪ Get to the disk ▪ Can you find historical event log data?