Embed Size (px)
Citation preview
John McLeod & Mike Pilkington
SANS DFIR Summit 2013
Disclaimer: The opinions expressed in this presentation are our own and may not reflect the opinions of our company.
Work for a Fortune 500 company in the oil & gas industry
Mike is also a SANS Instructor John is retired AFOSI Combined 30+ years of computer security
experience Both hold various certifications and higher level
degrees Oh…and Mike is a UT grad.
3
A bit about evil System Center Configuration Manager
(SCCM) Windows Host logging Even though we have the “talking stick,” feel
free to ask questions
4
Hide in plain sight Rename Windows files
Cmd.exe, AcroRd32.exe, diskmgmt.exe, etc.
Name files the same for years
Ctfmon.exe
Persistent mechanisms
…\Start Menu\Programs\Startup
known unknown
known known knowns e.g. Known EVIL file is located in a known place
known unknowns e.g. Known EVIL file is located in an unknown place
unknown Unknown knowns e.g. An unknown file is located in an known place
Unknown unknowns e.g. An unknown EVIL file is somewhere in your enterprise
SQL knowledge Read-only, backend access to SCCM database Microsoft SQL Server Management Studio Although this presentation details SCCM, the
concepts can be used on other similar platforms
7
System Center Configuration Manager (SCCM)
Formerly Systems Management Server (SMS)
Product by Microsoft for managing large groups of Windows-based computer systems
Puts agent on host; sends data back
Backend: MSSQL
Feature of SCCM Designed to track the usage of applications Provides the identity which software
applications (and executable files) are being used, and who is using them
Software metering client agent must be enabled in order to find EVIL using SCCM
Structured Query Language (SQL)
Special-purpose programming language designed for managing data held in a relational database management system (RDBMS)
The most common operation in SQL is the query, which is performed with the declarative SELECT statement
More information
http://www.w3schools.com/sql/
10
Microsoft does not publish the schema, but… Creating Custom Reports By Using Configuration Manager
2007 SQL Views http://www.microsoft.com/en-us/download/details.aspx?id=22052
Configuration Manager 2007 SQL View Schema Microsoft Visio document (CM2007SQLViewsSchema.vsd): Provides the Configuration Manager 2007 SQL views schema, organized by category.
Configuration Manager 2007 SQL Views Excel spreadsheet (CM2007SQLViews.xls): Provides a list of the Configuration Manager 2007 SQL views with descriptions, a list of the SQL views and columns ordered by SQL view name, and a list of the SQL views and columns ordered by column name.
Asset Intelligence Client Deployment Client Health Collection Desired Configuration Discovery Hardware Inventory Mobile Device Mgt Network Access
Protection Operating System
Deployment Query
Reporting Schema Site Security Software Distribution Software Inventory Software Metering Software Updates Status Wake On LAN
AD Domain Name AD Site Name IP Address Netbios Name Hardware info User ID OS Service Pack
Registered User Last Boot Time Logon Date Domain System Type Autostart Software
SELECT LastUsedTime0,
Name0,
FolderPath0,
ExplorerFileName0,
OriginalFileName0,
FileDescription0
FROM v_GS_SYSTEM
INNER JOIN v_GS_CCM_RECENTLY_USED_APPS
ON v_GS_SYSTEM.ResourceID = v_GS_CCM_RECENTLY_USED_APPS.ResourceID
WHERE
v_GS_CCM_RECENTLY_USED_APPS.TimeStamp > '2012-03-01 00:00:00.000'
AND FolderPath0 LIKE 'c:\%'
AND FileDescription0 LIKE 'Windows Command Processor'
AND NOT ExplorerFileName0 LIKE 'cmd.exe‘
ORDER BY LastUsedTime0
LastUsedTime0 Name0 FolderPath0 ExplorerFileName0 OriginalFileName0 FileDescription0
7/18/2012 7:11 TESTBOX5 C:\Intel\ ctfmon.exe cmd.exe
Windows Command
Processor
5/28/12 20:03 TESTBOX3 C:\WINDOWS\system32\ sethc.exe cmd.exe
Windows Command
Processor
3/30/12 0:39 TESTBOX1 C:\WINDOWS\system32\ sethc.exe cmd.exe
Windows Command
Processor
3/2/12 5:19 TESTBOX4 C:\WINDOWS\system32\ sethc.exe cmd.exe
Windows Command
Processor
SELECT LastUsedTime0,
Name0,
FolderPath0,
ExplorerFileName0,
OriginalFileName0,
FileDescription0
FROM v_GS_SYSTEM
INNER JOIN v_GS_CCM_RECENTLY_USED_APPS
ON v_GS_SYSTEM.ResourceID = v_GS_CCM_RECENTLY_USED_APPS.ResourceID
WHERE
v_GS_CCM_RECENTLY_USED_APPS.TimeStamp > '2012-03-01 00:00:00.000'
AND FolderPath0 LIKE 'c:\%'
AND NOT ExplorerFileName0 LIKE ‘%.exe‘
ORDER BY LastUsedTime0
LastUsedTime0 Name0 FolderPath0 ExplorerFileName0 OriginalFileName0 FileDescription0
7/18/2012 7:11 TESTBOX6 C:\Users\(userid)\ Bat.vbs NULL NULL
7/4/12 20:03 TESTBOX9
C:\Users\(userid)\App
Data\Local\Temp\ System.gif testest.exe testtest
5/30/12 0:39 TESTBOX2 C:\WINDOWS\system32\ wqrtuiwl.dll NULL NULL
4/2/12 5:19 TESTBOX4
C:\Users\(userid)\App
Data\Roaming\Microsof
t\Windows\Start
Menu\Programs\ flvvideo.dll ffmpeg.exe
FFmpeg video
converter
SELECT LastUsedTime0,
Name0,
FolderPath0,
ExplorerFileName0,
OriginalFileName0,
FileDescription0
FROM v_GS_SYSTEM
INNER JOIN v_GS_CCM_RECENTLY_USED_APPS
ON v_GS_SYSTEM.ResourceID = v_GS_CCM_RECENTLY_USED_APPS.ResourceID
WHERE
v_GS_CCM_RECENTLY_USED_APPS.TimeStamp > '2012-03-01 00:00:00.000'
AND FolderPath0 LIKE 'c:\%'
AND FolderPath0 LIKE '%Programs\Startup%'
ORDER BY LastUsedTime0
LastUsedTime0 Name0 FolderPath0 ExplorerFileName0 OriginalFileName0 FileDescription0
7/18/12 14:56 TESTBOX1
C:\Documents and
Settings\(userid)\Start
Menu\Programs\Startup\ Update.exe NULL NULL
3/28/12 20:03 TESTBOX2
C:\Users\(userid)\AppDa
ta\Roaming\Microsoft\Wi
ndows\Start
Menu\Programs\ Update.exe Update.exe Document Updater
3/30/12 0:39 TESTBOX3
C:\Documents and
Settings\(userid)\Start
Menu\Programs\Startup\ Ctfmon.exe NULL
AVG Basic
Interface
4/2/12 5:19 TESTBOX4
C:\Users\(userid)\AppDa
ta\Roaming\Microsoft\Wi
ndows\Start
Menu\Programs\ flvvideo.dll ffmpeg.exe
FFmpeg video
converter
Once a host to investigate has been identified
run an SCCM history for that host ▪ WHERE Name0 LIKE ‘hostname'
The output may contain a group of commands showing evil activity
LastUsedTime0 Name0 FolderPath0 ExplorerFileName0 OriginalFileName0 FileDescription0
7/18/2012
7:11 TESTBOX5 C:\Intel\ ctfmon.exe cmd.exe
Windows Command
Processor
7/18/2012
7:12 TESTBOX5 C:\WINNT\system32\ net.exe net.exe Net Command
7/18/2012
7:25 TESTBOX5 C:\Intel\ hil.exe NULL Installer
7/18/2012
7:27 TESTBOX5 C:\WINNT\system32\ ping.exe ping.exe TCP/IP Ping Command
7/18/2012
7:32 TESTBOX5 C:\WINNT\system32\ sc.exe sc.exe
7/18/2012
7:40 TESTBOX5 C:\WINNT\system32\ tasklist.exe tasklist.exe Task List
7/18/2012
7:40 TESTBOX5 C:\WINNT\system32\ find.exe find.exe
Find String (grep)
Utility
7/18/2012
7:41 TESTBOX5 C:\WINNT\system32\ netstat.exe netstat.exe
TCP/IP Netstat
Command
7/18/2012
7:41 TESTBOX5 C:\WINNT\system32\ taskkill.exe taskkill.exe Kill Process
Lot’s of false positives until you know your environment
NOT and wildcards are your friends Timestamps
Last time used vs time received Do not consider software metering to be
authoritative Attacker could send invalid information to SCCM
Information is deleted periodically Only the most current data is in the database
25
Enabling & locating useful logs for IR
SCCM Metering Logs
Event Logs
Others too, which we won’t have time to discuss… ▪ Windows Firewall Logs
▪ Commercial AV Logs
▪ MS Antimalware Logs
▪ Scheduled Tasks Logs
Remote searching & collection using PowerShell
26
Provides a local archive of inventoried software
Located in either: 32-bit: %systemroot%\system32\ccm\logs\mtrmgr.* 64-bit: %systemroot%\syswow64\ccm\logs\mtrmgr.*
Example Entry:
<![LOG[Process ID 9844 is for process C:\WINDOWS\system32\schtasks.exe]LOG]!><time="19:00:08.359+300" date="06-25-2013" component="mtrmgr" context="" type="1" thread="6988" file="processdata.cpp:141">
Often many deleted versions in unallocated Therefore, search/carve for entries with the
signature “<
When configured appropriately, Event Logs can tell us a ton, such as: Software installed or uninstalled
Processes run and by who, including parent process
Services installed, started, and stopped
User logons, including source IP and hostname if remote
Users added and removed
Groups modified
Determining the current audit policy can be tricky
Providing recommended auditing levels is tricky too, due to the impact heavy logging can have 28
Depending on how audit policy is configured, Local Security Policy (secpol.msc) could incorrectly indicate auditing disabled:
29
Despite the Local Security Policy settings , many logs are being created on the machine (184K over 4 months):
30
Unfortunately you cannot trust the Local Security Policy or Group Policy reporting tools such as GPRESULT or RSOP. Explanation here:
http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
Instead, use AUDITPOL…
Need to run “auditpol” to determine actual settings. For example: auditpol /get /category:*
31
It depends!
Requires consideration and testing for your individual environment.
A great new resource is Microsoft’s whitepaper titled “Best Practices for Securing Active Directory”
Download from http://aka.ms/bpsad
Developed by Microsoft’s Information Security and Risk Management (ISRM) organization
Paper covers: ▪ Common attacks against Active Directory
▪ Countermeasures to reduce the attack surface
▪ Monitoring Active Directory for signs of compromise
▪ Offers recommendations for recovery
My Overview of the Best Practices paper: ▪ SANS Forensics Blog: http://computer-forensics.sans.org/blog/2013/06/20/overview-of-
microsofts-best-practices-for-securing-active-directory 32
Start with Microsoft’s strongest recommendations
Setup test groups via Group Policy
Weigh value of acquired logs to impact on performance
Where necessary, tighten the audit policy to reduce performance impact
Use Randy Franklin Smith’s site to supplement your analysis
Identify event types that were not in your sample http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
33
34
Site also gives pre-Vista ID #
(and vice versia)
35
Many good commercial solutions:
SEIMs such as ArcSight, Splunk, QRadar, etc.
Good (Splunk-like) open source options too:
ELSA—uses Sphinx for full-text indexing
Logstash—uses ElasticSearch for full-text indexing
▪ Kibana is an alternative WebUI for Logstash
Graylog2—ElasticSearch for full-text indexing & MongoDB for stats
36
Can’t always forward the logs
For example, often hard to get logs off of end-user machines
For IR, PowerShell may be useful for querying remote logs
Specifically, use PowerShell “Remoting”
Processing takes place on remote hosts – only results are returned
37
WinRM is designed to provide management communications services for any number of applications
PowerShell “Remoting” being one of those
Event Log Forwarding is another
HTTP is default transport, yet still encrypted via Negotiate or Kerberos SSP
Installed by default on Vista and higher. Available for XP and Server 2003 R2.
38
Processing occurs on remote machine
Run commands interactively (ssh/telnet-like) via Enter-PsSession –ComputerName
Run commands non-interactively, but still processed on remote machine, via Invoke-Command cmdlet: Invoke-Command –ComputerName
<host1,host2,etc.> -command { <enter
command here to run ON remote machine> }
Allows concurrent parallel connections rather than sequential connections
39
Testing by Jason Hofferle, as discussed on his site: http://www.hofferle.com
/powershell-remoting-performance/
His test gathered last 20 security event ID 4624 logs from each machine across US WAN links
40
Does not result in an interactive logon!
Thus no exposure for passwords, hashes, or Kerberos tickets
Does not create delegate-level impersonation token, allowing “double-hop”
To allow delegation, must enable a specific feature (CredSSP) on both client & server – don’t do this!
Network authentication via Kerberos
Machines are mutually authenticated
41
By using Invoke-Command, all processing within –Command parameter’s {braces} occurs on remote machine
Event Log Example: Find Security events after 5/31/2013 with message contents “ATTACK-ACCT”:
Invoke-Command -ComputerName CompA,CompB -Command {Get-EventLog -LogName Security -After "Friday, May 31, 2013 12:00:00 AM" -Message *ATTACK-ACCT* }
Log-file Example: Find SCCM Meter log entries with filename that includes “.jpg”; output to interactive table with sortable columns:
Invoke-Command -ComputerName CompA,CompB -Command {Select-String –Path C:\Windows\syswow64\ccm\logs\mtrmgr*.log -Pattern “.jpg“ } | Out-GridView
42
The Big Con: Does not work with legacy (EVT) logs
The Big Pro: Provides stronger filtering through XPath Query Language
Example—Find Event ID 4624 logon from user MIKE between 6/1/13 and 6/25/13:
Get-WinEvent -ComputerName CompA,CompB -FilterXml
'<QueryList> <Query Id="0"> <Select
Path="Security">*[System[(EventID=4624) and
TimeCreated[@SystemTime >= "2013-06-
01T00:00:00.000Z" and @SystemTime <= "2013-06-
25T23:59:59.999Z"]]] and
*[EventData[Data[@Name="SubjectUserName"] and
(Data=“mike")]] </Select> </Query> </QueryList>' 43
Microsoft’s built-in Event Viewer can help build XPath queries:
44
Find event log files with 1 or more events Get-WinEvent -ListLog * | Where-Object
{$_.RecordCount}
Run against offline event log files Get-WinEvent –Path <path to .evtx file(s)>
Check for installed antimalware clients: Get-WmiObject antispywareproduct -namespace
root\securitycenter2
45
Nice TechNet article on building XPath filters: http://blogs.technet.com/b/heyscriptingguy/archive/2
011/03/09/discover-how-to-filter-remote-event-log-entries-in-windows-vista.aspx
Secrets of PowerShell Remoting, a free book by Don Jones and Dr. Tobias Weltner: http://powershellbooks.com/
Learn Windows PowerShell 3 in a Month of
Lunches, by Don Jones: http://www.amazon.com/Learn-Windows-
PowerShell-Month-Lunches/dp/1617291080 46
Software Metering
http://technet.microsoft.com/en-us/library/cc181604.aspx
Overview of Software Metering
http://technet.microsoft.com/en-us/library/bb694145.aspx
47
