make etw great again. - ruxcon etw great again – ruxcon 2016 • built-in, general purpose,...

MakeETWGreatAgain.

BenLelonekNateRogers

ExploringsomeofthemanyusesofEventTracingforWindows(ETW)

CyberPointisacybersecuritycompany.We’reinthebusinessofprotecEngwhat’sinvaluabletoyou.

WhoWeAre

Nate“MillionDollars”Rogers•  CyberPointInterna6onal

–  SecurityResearchTeamLead•  StudentatNYU•  Previously:

–  eEyeDigitalSecurity•  TwiEer:

–  @Conjectural_Hex

Ben“TexasDirt”Lelonek•  CyberPointInterna6onal

–  SecurityResearchTeam/Developer

•  StudentatUMBC

MakeETWGreatAgain–Ruxcon2016

CyberPointSecurityResearchTeam•  www.cyberpointllc.com/srt•  [email protected]•  @CyberPoint_SRT

Whatwe’regoingtobetalkingabout.


• WhatisETW•  QuickOverviewofETW•  UsageExamples•  PublicUsesandResearch•  ETWforMalwareDetec6on•  ETWforRedTeam•  Mi6ga6ons•  Ques6ons

WhatisEventTracingforWindows(ETW)?


•  Built-in,generalpurpose,logginganddiagnos6cframework

•  Efficient:highspeed,lowoverhead

•  Dynamicallyenabledordisabled

•  Logtofileorconsumeinreal6me

•  Usedforperformanceanalysisandgeneraldebugging

•  Exampleusage–  GoogleChrome

•  Performanceanalysis&profiling•  UIforETW

Source:

h*ps://msdn.microso3.com/en-us/windows/hardware/commercialize/test/weg/weg-performance

QuickOverviewofETW


•  FirstintroducedinWindows2000• GreatlyexpandedinVista

–  Newmanifest-basedprovidersandlogginginmorethanjustthekernel

–  MoreineachOSsince•  EaseofuseimprovedwitheachOS

–  Windows2000–MOFclassesandWMI–  WindowsVista–XMLManifests–  Windows8/.NET4.5–EventSource(C#)–  Windows10–TraceLogging

3 3

431

656

9561052

0

200

400

600

800

1000

1200

Windows2000

WindowsXP

WindowsVista

Windows7Windows8.1

Windows10

ProvidersbyWindowsVersion

HowtoViewETWEvents


•  API–  Lesscommonlyused,focusofourwork– Microsol.Diagnos6cs.Tracing.TraceEvent.dll–  C/C++/C#/etc

•  CommandLine/Applica6ons– Morecommonlyused–  Built-in:Logman,TraceRpt,EventViewer,PerformanceMonitor,wevtu6l–  Installable:Xperf,PerfView,Netmon,MicrosolMessageAnalyzer,WindowsPerformanceAnalyzer

•  PerfViewexample…

ViewingETWEvents–PerfView


TeslacryptreadingfilesinSystem32

ETWExampleProviders


•  Lis6ngproviders

•  Lis6ngrunningsessions

UsingETW


•  ETWEventsarehandledAsynchronously–  System/Applica6onwritesthemtothekernel–  Consumersmustestablishasessionandsubscribetogetdata

•  TypicalETWStructure–  C/C++:EVENT_HEADER,EVENT_RECORD,EVENT_TRACEstructuresandtracedatahelper(TDH)func6ons

–  C#:TraceEventobject,PayloadStringByName()•  Mechanism

–  OS-sideimplementa6ondetailsnotpubliclyavailable–  CallbacksfromtheOS

•  EventsCanbeCollectedRemotely–  ConfiguredviaWMI,Powershell–  Collectormachinepullsdatafromworkers

TraceEventobject


TONSofinforma6on!

UsingETWAPI(C#)


ExampleSimpleUACEventListener•  Extremelyeasytoimplement

Great,sowhatdoesthishavetodowithsecurity?


•  ExtensiveIntegra6onwithWindows– MuchoftheWindowsAPIlogstoETW–  VastamountofWindowsSubsystemshaveproviders–  Canbeusedtocollectinforma6onforbothaEackers&defenders/auditors

•  UniversallyDeployedinWindows–  Exists(insomeform)ineveryversionsinceWindows2000–  Dataproviderenabledondemand–  Hugepoten6alforabuse

•  We’llgetbacktothislater…

–  Greatpoten6alfordefensiveapplica6ons/research•  Lotsofpoten6aldatapointsforcollec6on/heuris6cs

–  process,.NET/CLR,Kernel,IO,Files,Memory,UAC,Logins,Crypto,Firewall,SMB,TCPIP,MANYmore…

•  Someexamples/toolsexistbutcanbeimproved

PublicUsesandResearch

•  Defensive–  DataMiningHeuris6cs

•  Collec6ngETWlogstodetectmalware

–  Ransomwaredetec6on(notETW)•  TrackfileIO/handles

–  Similartoourtechnique(nextslide)

–  Usesdriver

•  Offensive–  Persistence

•  ETWtriggeringserviceexecu6on

–  Packetcapture•  logman/netshforcapturingnetworktraffic

–  “SSLSidejacking”/CookieStealing•  ETWlistenerforWinINetcansnoopontraffic(evenSSL/TLS)


ETWMalwareDetecEon:RoomforImprovement


•  FewmalwareETWtools–  Exis6ngtechniquesalluseexternalEXEs

•  Logman.exe,wevtu6l.exe,PerfView,etc.•  Olenfocusonnetworktraffic(!Ransomware)

– Can’tparsein“real”6me•  Mustlogtodiskthenparse

•  RansomwareETWsolu6ons?– Virtuallynone

•  Goals:– Morelightweight(lessoverhead)solu6onswouldbeop6mal

– Na6veETWAPI•  Standalonebinarywithnodependencies

–  Sta6cANDDynamic•  DetectRansomwareinreal6me•  Alsosupportcaptures(.etl)

DetecEngRansomware–OurApproach


ClassifyandDisEllRansomwareBehavior•  Iteratefiles

–  Extensionbased,loca6onbased,etc.•  Read/wri6ngtofiles

–  access6mes,crea6on6mes,differentsizes(readvs.write),loca6on

•  Encryp6on–  AES,custom,GOST,RSA,Blowfish,TripleDES,XOR,RC4,Salsa20,TEA,zip,rar,etc.

•  Move/Rename/Copy/Delete– Manydifferentwaystodealwith“original”file

DetecEngRansomware–OurApproach(cont.)


IsgeneralizaEonofbehaviorpossibleforallsamples?•  ReadthenWrite

– Yes,butvaries…– Lotsoffalseposi6ves– TimingThreshold?

•  accountforOSdelays,itera6ons,etc.•  FileSizeDelta?

– Encryptedfilevs.original– Differentencryp6on,IVs,etc.,addsize!– Sizesdeltasvary

•  Lotsoffalseposi6vesinbenignprocesses•  FileNameChanges

– Originalfilenamevs.Encrypted– Originalisinencryptedname(insomeform)

•  Almostalways•  Encryp6on

– Toomuchvarianceforgenericrule



•  GenericDetec6onAlgorithm–  Trackwritestofilesthatwerepreviouslyread

• MustbethesamePID• Mustbewithin6methreshold80ms

– Highestaverage~49ms(Nanolocker)• Mustbewithinsizedeltathreshold1024bytes

– Higherthanneededformalware– Browsercachesandtempfiles

–  IfabovecriteriaismetincrementSuspiciousEventcounter•  SuspiciousEventCounter=3

–  Filterfalseposi6ves•  tempfiles,caching,windowssearch,etc.

PID Time Size Suspicious!



•  Whichproviderisneeded?–  “WindowsKernel”–  Canuseothersbutnotnecessary

•  Whatdataisneededfromprovider?–  “TypeField”

•  “FileIOReadWriteTraceData”•  Mul6pleEventTypes

–  EventName•  “FileIO/Write”•  “FileIO/Read”

–  “OpCode”•  Sub-typesknowasOpCodes•  representedwithINTandASCIIname

–  OpcodeNames:“Read”,“Write”–  OpcodeValues:0x67,0x68

Whatcanwedetect?


•  EVERYTHING!(Thatwetested.)

•  Specifically,cerber,chimera,ctb-locker,locky,hydracrypt,jigsaw,lockscreen,mobef,radamant,samsam,shade,teslascrypt,torrentlocker,trucrypter,7ev3n,coverton,kimcilware,petya

•  Genericallydetectedallsamples

•  Eventhosewith(relaCvely)lowdetec6onsonVirusTotal

•  TorrentLocker:

ETW&RansomwareDetecEonLimitaEons


•  NotPerfect–  Needsatleast3filestobeencryptedtobeeffec6ve

•  DynamicCapturescanbedelayed–  Variesgreatly–  Dependsonnumberofconsumedevents,systemac6vity,etc.–  Usuallysmalldelay

•  HardtoHideSessionsfromMalwareandAEacker–  Easyformalwaretoseewho’s“listening”

•  Trivialtoaccess...

MalwareDetecEonofETW


HoweasilycanaEackers“see”ETW?•  An6-Analysis?•  Easytoseesessions–logman.exe,C#API•  NoBaselineofsessionsorproviders

– Whicharegood?Whicharebad?

Tonsofpoten6alETWproviders!•  Someusesareobvious

– Winlogin,SCM,WLAN,WMI,Firewall,UAC,TCPIP,TaskScheduling,SMB,SmartCards,TerminalServices,Powershell,Loca6on,KernelResources/Events,IPSEC,FileHistory/FileManage,DNS/DHCPClient,BlueTooth,Bits,BitLocker,Cryptography,An6malware,LsaSrv,SAM,Ac6veDirectory

•  SomearealiEleless...– Microsol-Windows-Bluetooth-HidBthLE– Microsol-Windows-USB-UCX– Microsol-Windows-WinINet–  Etc….

MosthaveGoodPoten6al•  Allrequirecloserinspec6onbeforeuse

–  Somemorethanothers(USB)•  LotsofMetadata

– Mustbefilteredout

ETWProvidersforRedTeam


USBKeyLoggingwithETW


•  Mo6va6on–  USBkeyloggingdiscussedbutnotoolsexist–  APIbased,nodependencies

•  Noneedtologtodiskfirst•  More“tac6cal”solu6on

•  ETWisVERBOSE,especiallywithUSB-UCXData

–  ETWprovidesRAWUSBdata–  Requiresweparseitourselves–  USBKeyboardspoll

•  Senddataregardlessofkeypress•  Pollrate:125Hz=8ms

•  Providers

–  Microsol-Windows-USB-UCX-{36DA592D-E43A-4E28-AF6F-4BC57C5A11E8}–  Microsol-Windows-USB-USBPORT-{C88A4EF5-D048-4013-9408-E04B7DB2814A}

•  Pros

–  ETWisINTENDEDfunc6onality(debugging)–  NewTechnique.NoAVcoverage…yet–  Cancapturekeystrokeswhencomputerislocked!

•  Cons–  Real6meETWcapturescanhavedelays–  Requiresadmin

Microso_MessageAnalyzerFTW!


•  MicrosolMessageAnalyzer(MMA)GREATLYreducedthe“noise”onthewire•  ExcellenttoolforUSB,generalETWtroubleshoo6ng•  DoesmostUSB/ETWparsingforyou–  Fromthis...

–  Tothis!

DataexistsinETWtracessoMicrosol’sTraceEventlibrarycaneasilyretrievedesiredvalues.Sosimple,right?!

ActuallyParsingEvents


•  UnfortunatelyTraceEventisn’tperfect–  TraceEventreturnsanemptybyte[]withthexferData

•  Weknowdataisthere–  MMA&Xperf,etc(previousslide)

•  HadtodumpthewholeETWpayloadandparseourselves–  JusttakesaliEleextrawork...

QuickNoteSniffingUSB


Whattodowiththedata?–  Datablobsrepresentrawbytesonthewire+ETWheaders

•  StripoffETWandparsereamingdata•  RemainingdataisUSBRequestBlock(URB)

–  Datafromdevicesmustbeprocessedbydrivers•  Usbxhci.sys->Ucx01000.sys->USBhub3.sys(USB3)•  WecancheatusingETWheaders!

–  HumanInterfaceDevice(HID)datainURB_FUNCTION:_URB_BULK_OR_INTERRUPT_TRANSFER

Source:h*ps://msdn.microso3.com/en-us/library/windows/hardware/dn741264(v=vs.85).aspx

FilteringandParsingEvents


TurnRawDatainHIDdata•  FindUSBRequestBlocks(URBs)ofinterest

–  UCX_URB_BULK_OR_INTERRUPT_TRANSFER–  “payload”:TransferBuffer

•  FindCorrectpayloadsize–  fid_URB_TransferDataLength

•  KeyboardHIDpackets=8bytes•  MouseHIDpayload=4bytes

•  GetData!–  fid_URB_TransferData

USBHIDUsageTables


•  fid_URB_TransferData–  “Payload”fromHIDdata=keystroke

•  PayloadisthenmappedtoHIDspec

ActuallyParsingETWUSBEventsinC#

•  UseETWtofindcorrectURB–  UCX_URB_BULK_OR_INTERRUPT_TRANSFER

•  UseETWtoselectpayloadsizeforkeyboards–  TransferBufferLength

•  ManuallypopulatexferDatawithURBpayload



(ADEMO)

DetecEngETWUSBAbacks


• Monitorforuse–  Microsol-Windows-USB-UCX(USB3)–  Microsol-Windows-USB-USBPORT(USB2)–  Poten6alFalsePosi6ves?

•  SuspiciousETWsessions–  Nobaselineof“trustedsessions”

•  SessionscanbeoverwriEen!–  EverythingbutReal-6mesessions–  Stopsprevioussession.Notrestarted

DetecEngETWUSBAbacks(cont.)


•  Logmanisyourfriend!–  Listalldetailsforasession

ETWUSBKeyloggerLimitaEons


•  USB…–  Nolaptopsupport(PS/2)– Windows11?!–  Kidding,butwhoknows?

• Windows7+– Windows7:USB2only–  USB3Provider(UCX)notintroducedun6lWindows8

•  Requiresadmin(UAC)•  PerformanceIssues?

–  “Real-6me”filteringandcapturingcandropevents–  Haven’tseenthisoccurinour(limited)tes6ng

IEInfoLeak


•  Microsol-Windows-WinINet–  AlldatathatpassesthroughtheWinINetlibrary

•  HTTPandHTTPS

•  Noneedtoinjectintobrowserprocess•  WorksevenwhensiteusesHTTPS•  Mostprivateinforma6onexposed

–  URLsvisited(recon)–  Cookies(sessionhijacking)–  POSTparameters(credenCalstealing)

•  WorksonIE,Edge,manyWindows10Apps,andanyprogramusingWinINetforHTTPrequests

•  Similartechniqueusinglogman/wevtu6l–  hEp://securityweekly.com/2012/07/18/post-exploita6on-recon-with-e/–  Requireswri6ngtodiskandparsinginseparatesteps

Windows10StoreApplicaEonLeaks


•  Fullleaks–  Plain-textpasswordloggedtoETW

•  Par6alleaks–  OAuth2.0orhashing/encryp6ngpassword–  Allowsforhijacksessioncookies/headers

•  AffectedApplica6ons– MostL–  Categories

•  Entertainment•  Financialins6tu6ons•  WindowsStoreandotherbuilt-inapps•  Socialmedia•  EmailProviders•  E-Retailers•  More….

•  Noleaks

Outof15testedApplica6ons:4FullLeaks9ParCalLeaks2NoLeaks

Microso_-Windows-WinINet


Eventtypes(availableaskeywordsforfiltering,i.e.WININET_KEYWORD_HANDLES)•  HandleEvents–crea6onanddestruc6onofHINTERNEThandles•  HTTPEvents–processingofHTTPrequestsandresponses•  Connec6onEvents–underlyingnetworkopera6ons(TCP,DNS)•  Authen6ca6onEvents•  HTTPSEvents•  AutoproxyEvents•  CookieEvents•  WININET_KEYWORD_PII_PRESENT–keywordforeventsofmul6pletypespoten6allycontainingpersonallyiden6fiableinforma6on

Usefuleventnames•  WININET_COOKIE_STORED,Wininet_UsageLogRequest,WININET_HTTP_REQUEST_HANDLE_CREATED,WININET_REQUEST_HEADER,WININET_REQUEST_HEADER_OPTIONAL,WININET_RESPONSE_HEADER

LoggingintoGmail


MiEgaEon(a.k.a.goodadvice)


•  Don’tuseIEorEdge–  UseChrome,Tor,etc.

•  Useastandard(non-admin)useraccount–  LeaveUACEnabled–  ETWrequiresadmin

•  Onlyruntrustedapplica6onsasadmin•  MonitorforsessionswithWinINetproviderenabled

Whenusingmessagetracingfeature,messagescarryingsensi6veinforma6onsuchascreden6als,personalinforma6on,etc.maybepersistedtothediskorbeviewedbyanyonewhohasaccesstothesystemeventviewer.Asami6ga6ontothisissue,tracingcanbeenabledbySystemorAdministratorusersonWindows2003andlater.~MSDN

Thanksforcoming!

Specialthanksto–  Ruxcon–  ChrisSpencer–  StanChua–  JohnEiben– MarkMcLarnon–  AndreProtas


QuesEons?

Blogwww.cyberpointllc.com/srt

Email

[email protected]

Twiber@CyberPoint_SRT

CodeFromourDemos/Research

github.com/CyberPoint/Ruxcon2016ETW


Thanksforcoming!

References


MSDNEventTracing•  hEps://msdn.microsol.com/en-us/library/windows/desktop/bb968803(v=vs.85).aspx

USBDeviceClassDefini6onforHumanInterfaceDevices(HID)•  hEp://www.usb.org/developers/hidpage/Hut1_12v2.pd

USBtraceswithMicrosolMessageAnalyzer•  hEps://msdn.microsol.com/en-us/library/windows/hardware/dn741264(v=vs.85).aspx

Viewing/capturingUSBdata•  hEp://www.usblyzer.com/•  hEps://www.microsol.com/en-us/download/details.aspx?id=44226

USB/URB•  hEp://www.beyondlogic.org/usbnutshell/usb5.shtml•  hEps://msdn.microsol.com/en-us/library/windows/hardware/ff538930(v=vs.85).aspx

Ransomwaresamples•  hEps://www.virustotal.com/•  hEps://cyberpointllc.com/products/darkpoint/index.html

XperfBasics:RecordingaTrace(theeasyway)•  hEps://randomascii.wordpress.com/2013/04/20/xperf-basics-recording-a-trace-the-easy-way/

SSLSideJacking•  hEp://wiki.securityweekly.com/wiki/index.php/Episode300

make etw great again. - ruxcon etw great again – ruxcon 2016 • built-in, general purpose,...

Documents