Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Deleted Evidence
Fill in the Map to Luke Skywalker
2© Mandiant, a FireEye Company. All rights reserved.
Agenda
Causes of Deletion
- Automated, Manual, Antivirus
Artifacts of File Creation
- NTFS Metadata files
Artifacts of File Access
- WMI, Application Compatibility
- Many more…
3© Mandiant, a FireEye Company. All rights reserved.
Introductions
Mary Singh
Senior Consultant with Mandiant, 6 years
- DFIR for APT, Financial, and Healthcare Cases
Dave Pany
Consultant with Mandiant, 3 years
- DFIR for APT, Financial, and Healthcare Cases
18 years combined experience in information security
Alexandria, VA office
4© Mandiant, a FireEye Company. All rights reserved.
Causes of File Deletion
When an attacker creates a file, it can be deleted in different ways
Automatic
- Self destruction built
into the malware
- Dropper auto delete
Manual
- Delete your evil file? Y
- Check Recycle Bin
(yes this happens)
Antivirus
- AV may delete the
dropper only
- Attacker creates new
variant in response
5© Mandiant, a FireEye Company. All rights reserved.
Recovering Deleted Attacker Files
Deleted files cannot always be recovered
Chance of file recovery depends on:
- How the file was deleted
- The level of activity/data rewrites on the disk
- Disk hardware
• Size of the disk
• Type of drive (e.g. SSD)
If the file cannot be recovered, file metadata is recorded in other Windows
artifacts
6© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
ARTIFACTS OF FILE CREATION
NTFS Metadata files
7© Mandiant, a FireEye Company. All rights reserved.
NTFS Metadata Files: $MFT
Does the file look $expensive? Then it’s an NTFS Metadata File…
- $MFT, $LogFile, $UsnJrnl, $I30
$MFT: When a file is created, a corresponding $MFT record is also created
File data in the $MFT $DATA attribute
- If the file is small enough (<700 bytes), the file contents will be in the $MFT record
itself (called resident data)
- Small malware configuration files or output files may fall into this category
MFT
Entry10240
$STD_INFORMATION $FILE_NAME $DATA
8© Mandiant, a FireEye Company. All rights reserved.
NTFS Metadata Files: $MFT
When a file is deleted, the $MFT entry is marked as “inactive” or free
- File data is retained in $MFT records – “Lost Files” in EnCase come from here
- Until that portion of disk space is reused, the file metadata can be recovered
File #1:(record 134)
$MFT record
Overwritten
File #2:(record 135)
Record # Name Flags
28 windows Directory, Active
… … …
133 ben.exe File, Active
134 robothand(old: greenhand)
File, Active(old: File, Deleted)
135 bluehand File, Deleted
136 ewok.txt File, Active
… … …
$MFT record
Recoverable
delete
delete
9© Mandiant, a FireEye Company. All rights reserved.
NTFS Metadata Files: $I30
Metadata of Directory Contents
0x30 FN structures with 0x10 SI timestamps
Non-resident INDX records
- https://github.com/williballenthin/INDXParse
- $MFT 0xA0 attribute with data run
10© Mandiant, a FireEye Company. All rights reserved.
NTFS Metadata Files: $I30
Resident INDX records
Exist in 0x90 attribute of a directory’s $MFT
record if small enough
Can be resized or moved to non-resident
Slack space is not overwritten after resizing
11© Mandiant, a FireEye Company. All rights reserved.
NTFS Metadata Files: $I30
12© Mandiant, a FireEye Company. All rights reserved.
NTFS Metadata Files: $UsnJrnl
$UsnJrnl records changes to the filesystem (for stability purposes), enabled on Vista+
Journal record: File/directory name, corresponding $MFT Entry, Update Sequence Number (USN), Timestamp, Reason Flag, and more…
Reason Flags
- When a file is created, the “USN_REASON_FILE_CREATE” flag is set
- When a file is deleted, the “USN_REASON_FILE_DELETE” flag is set (shocking I know)
- Full list of reason flags: https://msdn.microsoft.com/en-us/library/aa365722.aspx
The $UsnJrnl is overwritten fairly often, but Journal records can be carved from unallocated space or extracted from Volume Shadow Copy
Resources:
- Cory Harrell’s blog - http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html
- Joakim Schicht’s UsnJrnl2Csv parser - https://github.com/jschicht/UsnJrnl2Csv
13© Mandiant, a FireEye Company. All rights reserved.
NTFS Metadata Files: $UsnJrnl
Case Study – Parsed $UsnJrnl was ~395,000 lines
- Offset, FileName, Timestamp, Reason, MFTReference,
MFTReferenceSeqNo, MFTParentReference, more…
125 unique “Reason” Codes. For this case, I focused on:
- DATA_OVERWRITE, FILE_CREATE, RENAME_NEW_NAME
- Searched for “hux.exe” detected by the Windows Defender log
FileName Timestamp Reason MFTReferenceMFTReference
SeqNo
MFTParent
Reference
hux.exe 01/30/16 11:27:55 FILE_CREATE 104679 140 624
kylo.exe 01/30/16 11:28:23 FILE_CREATE 104736 97 624
HEADER_MFTRecordNumber FN_FileName FilePath FN_CTime
624 Windows :\Windows 02/07/14 22:41:51
14© Mandiant, a FireEye Company. All rights reserved.
NTFS Metadata Files: $UsnJrnl
…
15© Mandiant, a FireEye Company. All rights reserved.
Special Case - SDELETE
Sysinternals Tool
Overwrites file names with AAAA.AAA
through ZZZZ.ZZZ
Overwrites file contents
- Likely unrecoverable
Look for EulaAccepted value in registry
- NTUSER.DAT\Software\Sysinternals\SDelete
Search artifacts with this regex:
- ([A-Za-z])\1{2}(~[0-9]\.|\.)([A-Za-z])\1{2}
16© Mandiant, a FireEye Company. All rights reserved.
NTFS Metadata Files: $Logfile
NTFS uses the $Logfile to record file creation (and more)
$Logfile contains less history but more detail than $UsnJrnl
- 32,000 records total, will overwrite from beginning
- Tracks file system creation, changes, renames
- Does not track specific changes to data within a file
Event Time File Name Event Detail
06/15/16 01:51:44 Lukes_address.rar File Creation N/A
06/15/16 01:52:15 map.txt Renaming File Lukes_address.rar -> map.txt
06/15/16 03:22:00 map.txt File Deletion N/A
17© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
ARTIFACTS OF FILE ACCESS
These are the droids you’re looking for
18© Mandiant, a FireEye Company. All rights reserved.
CCM_RecentlyUsedApps
Records software that executes to generate usage statistics
Requirements
- Connected to SCCM server
- Software Metering enabled
Probably enterprise only
Keyword hits!
Two known structures
- null delimited
- XML (only XP)
19© Mandiant, a FireEye Company. All rights reserved.
CCM_RecentlyUsedApps
Fields
- Company Name
- File Name
- File Description
- File Version
- File Path
- Last Used Time
- Last User Name
- Original File Name
- Product Name
- Launch Count
- More
Locations
- WMI Repository
• Vista+ C:\WINDOWS\system32\wbem\Repository\OBJECTS.DATA
• XP C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
- C:\Windows\CCM\InventoryStore.sdf
• Compact SQL database that should be extracted first
20© Mandiant, a FireEye Company. All rights reserved.
CCM_RecentlyUsedApps
PE Header Metadata
- Most legit files will have this info
- Lack of info helps files stand out
File paths stand out
How can you parse this?
- python-cim for allocated records
- https://github.com/fireeye/flare-
wmi/blob/master/python-
cim/samples/show_CCM_RecentlyUsedApps.py
- Standalone python carver for all
records coming soon!
21© Mandiant, a FireEye Company. All rights reserved.
FileSystemFiles
Another tracker of files present on the system at some point in time
TechNet – “FileSystemFile.log” “records the activity of the Windows Management Instrumentation
(WMI) provider for software inventory and file collection.”
22© Mandiant, a FireEye Company. All rights reserved.
FileSystemFiles
Fields:
- Company Name
- Description
- Version
- Last Write Date
- Language
- Name
- Path
- Size
Locations
- XP
• C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
- Vista+
• C:\Windows\CCM\InventoryStore.sdf
- Compact SQL database that should be extracted first
• C:\WINDOWS\system32\wbem\Repository\OBJECTS.DATA
23© Mandiant, a FireEye Company. All rights reserved.
Windows Defender – APT29 Case Study
Built in AV for Windows
Should be enabled by default on workstations – not on servers
Terrible at stopping APT29 – decent at recording their tools
Log file location:
- C:\ProgramData\Microsoft\Windows Defender\Support\MPLog…..log
Microsoft Antimalware
- Azure AV?
- C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog…..log
24© Mandiant, a FireEye Company. All rights reserved.
Windows Defender – APT29 Case Study
Keyword hit in Defender log for
known bad 5442.exe
- Scan start time
- File or process path
- Scan results?
25© Mandiant, a FireEye Company. All rights reserved.
Windows Defender – APT29 Case Study
What else do we have?
26© Mandiant, a FireEye Company. All rights reserved.
27© Mandiant, a FireEye Company. All rights reserved.
Windows Defender – APT29 Case Study
28© Mandiant, a FireEye Company. All rights reserved.
Application Compatibility Cache
Windows looks at AppCompatCache a.k.a. “ShimCache” to determine if modules require shimming for compatibility
Depending on OS, the Cache data tracks
- file path, size, last modified time, last execution time, and file created in Vista+
Application Compatibility Cache Registry Keys
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility or AppCompatCache\AppCompatCache
1. File executed (file created also
tracked in Vista+)
2. File metadata
saved in a data
structure
3. Data structure
added to registry on
shutdownFile
metadata on shutdown
SYSTEM
Hive
29© Mandiant, a FireEye Company. All rights reserved.
Application Compatibility Cache
Most recent on top, written on shutdown
Resources:
- ShimCache Parser - https://github.com/mandiant/ShimCacheParser
- Shimcachemem Volatility plugin - https://github.com/fireeye/Volatility-Plugins/tree/master/shimcachemem
Example
- The files “porkins.exe”, “biggs.exe”, and “obiwan.exe” were not recovered
- “obiwan.exe” was a dropper for “anakin.exe” (malicious file)
Last Modified Last Update Path Size Exe Flag
08/24/15 13:07:33 N/A C:\Users\luke\AppData\Local\Temp\tmpc0803709\porkins.exe N/A Yes
08/21/15 13:14:21 N/A C:\Users\luke\AppData\Local\Temp\tmp4313f0ee\biggs.exe N/A Yes
02/25/15 18:28:08 N/A C:\Users\luke\AppData\Roaming\Lspld\anakin.exe N/A Yes
08/20/15 18:06:49 N/A C:\Users\luke\AppData\Local\Temp\obiwan.exe N/A Yes
30© Mandiant, a FireEye Company. All rights reserved.
Windows Prefetch
Prefetch stores last 128 files executed (by default)
- Records last run date, path, and the # of times executed
- File creation date may indicate when the file was first run
No Prefetch by default on Windows Servers :-(
Tracks files loaded in the first 10 seconds of execution
- May contain associated libraries, input or output files
Resource: https://github.com/PoorBillionaire/Windows-Prefetch-Parser
Prefetch File Name Full EXE Path Last Ran # of Times
PHASMA.EXE-19724E9B.pf C:\PHASMA.EXE 03/05/16 13:58:00 1
PSEXESVC.EXE-2B528B05.pf C:\WINDOWS\PSEXESVC.EXE 03/06/16 02:31:30 2
NETSTAT.EXE-31584CCD.pf C:\WINDOWS\SYSTEM32\NETSTAT.EXE 03/06/16 02:31:58 1
31© Mandiant, a FireEye Company. All rights reserved.
Final Thoughts
Many more artifacts to track deleted evidence
How to catch (almost) all the things:
1) Always research keyword hits
2) Listen to other presentations and webinars
3) Always be learning – new technology/artifacts in new OS versions
4) Be adaptable – think like the attacker
Attackers are sneaky, and they adapt to prevention & detection mechanisms
32© Mandiant, a FireEye Company. All rights reserved.
Thank you!
Mary Singh
@marycheese
David Pany
@davidpany