windows ir made easier and faster v1.0

Windows IR made easier and faster

Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked

Files, IP/WhoIs and Netflow

Michael Gough – Founder

MalwareArchaeology.com

IMFSecurity.comMalwareArchaeology.com

Who am I• Blue Team Defender Ninja, Malware Archaeologist, Logoholic

• I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How

Creator of“Windows Logging Cheat Sheet”

“Windows File Auditing Cheat Sheet”

“Windows Registry Auditing Cheat Sheet”

“Windows Splunk Logging Cheat Sheet”

“Malware Management Framework”

• Co-Creator of “Log-MD” – Log Malicious Discovery Tool

– With @Boettcherpwned – Brakeing Down Security PodCast

• @HackerHurricane also my Blog


The Challenge

• Why can’t we be the ones to discover that a system is compromised ?

• Before we receive a call from a 3rd party?

• How do we take a system like that one

– <insert one of your laptops here>

• And determine if it is clean or compromised?


How all this started

• I worked for a gaming company that got pwned BAD by the Winntigroup

• We knew systems were infected, but how do you find what they placed and modified on the system?

• In 2012 logging was not as good as it is now• In 2014 logging was MUCH better – Yay CMD Line Logging 8.1/2012• So we had to find it the old fashioned way

– Hash the files on a clean system (we built it) and compare it to a suspect system, we had lots of suspects…

– RegShot GUI– Painful long analysis, almost forensics

• Once we found the bad we had good tools to find it everywhere– Splunk and BigFix are AWESOME !!!!!


The Pretty Blue Blinky Lights

• We can’t all afford fancy $100k EDR endpoint solutions

• Or fancy IR solutions

– I LOVE BigFix for IR, or equivalent

• We can’t all afford to call an IR Firm once an incident occurs

– $350-$450/hr times X people


So what are our options?

• Anti-Virus

• Next Gen Endpoint at $100k+

• Full Blown Forensics

• IR Firm at $350-$450/hr

• Detect and Respond yourself

• Proactive Hunting yourself

• Learning to do it ourselves should be our goal


I think or know that one is infected

• So how do we go about investigating it?

• What kinds of things can we do to check a system?

• We know certain things about systems– The malwarians behave a certain way

– Many things are normal

• So let’s use what’s normal to find their bad behavior


Typical Malwarian Behavior

• They generally compromise user space first– C:\Users

• And anywhere a standard user has rights– Whatever level a user is logged into, they have rights

to add/modify/delete stuff

• Then they go to Admin creds and space– They own the system now

• And now east/west lateral movement is easy• And all that APT stuff the reports talk about


So how do we catch them?

• We need to focus more at Detection and Hunting• Automate it too!

• Log management is the best option IMHO, but it can also be costly– There are cheaper solutions – Graylog, ELK, etc.– But free is not (human resource) free

• Most of us have configuration management, we have to automate patching

• Maybe we can use this?


Command Line Rocks!

• We all use it

• So do many/most IR and Forensics tools

• GUI’s are bad because we cannot automate a GUI

• So command line rocks

• We can automate command line

• Which is why I recommend and use command line solutions and tools

– If you don’t have the $$$$ solutions


Command Line

• We can use logon scripts, PowerShell, PSExec, etc.

• Configuration Management like BigFix, Tanium, SCCM

• Pick one, something, whatever you have

• This allows you to automate command line tools


Artifacts


So what do we look for?

• New files added to user space - C:\Users

• Files added in Admin space – Everywhere else

• Persistence – Autorun locations

• Registry Keys added or changed

• Large Registry Keys – They hide stuff here

• Logs of course, LOTS of good stuff here

• Odd artifacts that Breach and Malware Analysis reports show that are ‘good to detect’


So what can we do quickly?

• Lots of python scripts, projects, tools and options– Not really my thing, too many things to compile and tweak,

I should not have to hack together my detection and hunting tool(s) suite

• I wanted something that allowed me to focus on what I saw that worked– Well configured logs– Targeted reports by category– Large Registry Keys– Changes to Registry keys– Files added to places that seem odd– Other Interesting Artifacts


Something New


I came here to show you a new tool

• It did not exist, so we created it

– Turned a collection of my scripts into a tool

• Built on everything I saw and experienced with Winnti over 3 years, which was a LOT

• And Breach and Malware Analysis reports

• Tips from colleagues at this very conference

• And years of experience of course

• And because we may not be able to afford $$$$


The Log and Malicious Discovery tool

Logging:• ALL VERSIONS OF WINDOWS (Win 7 & up)• Audits your system log settings and produces a report,

every time it runs• Also shows failed items on the console• Guides you to configure proper audit logging• Guides you to enable what is valuable• Compares auditing to many industry standards

– CIS, USGCB and AU standards and “Windows Logging Cheat Sheet”


There are three versions

• Free Edition

• Professional Edition

• Consulting Edition

– Just a license difference to Pro


All Versions• Collect 1-7 days of logs 7 days is about a 1GB Security Log

LOG-MD does more than just harvest logs• Full filesystem Hash Baseline• Full filesystem compare to a Hash Baseline• Full system Registry Baseline• Full system compare to Registry Baseline• Large Registry Key discovery• List of Autoruns (coming next release)• List of Locked files (coming next release)• 3 Whitelist files to reduce normal noise and events


Free Edition

• Over 15 reports

• Quick Start Guide

• All reports are TXT or CSV for easy scripting and post processing with your favorite flavor of scripting

• Scripts I created are what became LOG-MD Pro


• Over 25 reports

• Full User Manual

• Collects Sysinternals Sysmon events

• WhoIS resolution of IPs from Win FW/Sysmon– Owner, Network, Country, CIDR

• Master-Digest to exclude hashes and files

• 3 more Whitelisting files– File, Registry and AutoRuns


• Interesting Artifacts report– Null byte in registry value, Sticky Keys, etc.– Adding more all the time

• SRUM (netflow from/to a binary)– Win 8.1 and 10 only

• AutoRuns compare feature to show only those Autoruns whose hashes are not in the Master Digest or Whitelisted parameters


What is a

Master-Digest?


Master-Digest

• A Hash Baseline (Hash_Baseline.txt) is a list of every file and hash on the C: drive

• A Master Digest only lists the unique files and hashes,and they are sorted

• Results in 33%+ less files to do compares against, so much faster

• Speed for any disk reads is a good thing


Master-Digest

• You can append files and hashes to the Master Digest as you validate them as good

• You can feed the Master Digest any set of SHA256 Hashes like;

– Hashsets.com (Whitehat Forensics)

– NSRL, etc.


SRUM


SRUM for IR and Malware Analysis

• SRUM holds 60 days of data !!!

• Updates (flushes cache to the database) in one hour intervals or on shutdown

• How many bytes were written and read from the system by Application/Process


• LOG-MD-Pro can harvest SRUM data LIVE or offline like traditional forensic tools

• Great for answering the questions

– Did we lose any data?

– When were we first infected?


AutoRuns


Autoruns

• We need to find the persistence

• There are typically over 1000 autoruns

• We need a way to filter down the known good

• Master-Digest to the rescue !!!

• Whitelist out binaries with parameters

• The parameters are often where the bad stuff hides so whitelisting is the best option

• So we let you whitelist out your known good


Autoruns

• 1257 autoruns

• Subtract hashes in the Master-Digest

• 171 autoruns with parameters remain

• Subtract the whitelist

• 2 remain and Splunk to show a normal entry

• Easy to spot the malicious persistence


Locked Files


Locked Files

• If a file is locked…

• You can’t hash it

• You can’t run Sigcheck or Strings or pick your favorite tool, you need to break the handle first

• It sure would be nice to see a list of locked files

• That are DIFFERENT from the norm


Locked Files


Resources

LOG-MD.COM

• Websites

– Log-MD.com The tool

• The “Windows Logging Cheat Sheet(s)”

– MalwareArchaeology.com

• This presentation and others on SlideShare

– Search for MalwareArchaeology or LOG-MD

Questions?

LOG-MD.COM

You can find us at:

• Log-MD.com

• @HackerHurricane

• @Boettcherpwned

• MalwareArchaeology.com

• HackerHurricane.com (blog)

windows ir made easier and faster v1.0

Technology