TOPIC: Windows Logging: Who, What, Where, When, Why
OUR GUEST WILL BE:
David Longenecker - InfoSec Practitioner
Twitter: @dnlongen
Blog: SecurityForRealPeople.com
GitHub - https://github.com/dnlongen
News-Worthy - City of Atlanta hit with ransomware, services taken offline
Atlanta Working 'Around The Clock' To Fight Off Ransomware Attack
“Mayor (Keisha Lance Bottoms) told reporters that cybersecurity is now a top priority for the city.”
“Wi-Fi at Hartsfield-Jackson Atlanta International Airport has been shut down as a precaution”
Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand
“SecureWorks and the city's incident response team are working with law enforcement, including the FBI, Homeland Security and the Secret Service, as well as independent forensics experts and educational partners like Georgia Tech, to determine exactly what happened.”
“I am looking forward to us really being a national model of how cities can shore themselves up and be stronger because of it.” mayor said regarding digital infrastructure
http://malwarejake.blogspot.com/2018/03/atlanta-government-was-compromised-in.html
Malware of the Month
Dridex - Artifacts
This came in an email with a URL that auto downloaded and installed the malware, but could be a drive-by as well.
Since Dridex uses actual signed Microsoft binaries located in a different directory (not System32), sideloading is easy, it just has to be named after one of the Dlls that the binary actual needs in the same folder that is usually, and should be located in System32
This method has been making the Con circuit talks as many tools miss or exclude known good Microsoft signed binaries as “Good”. A popular tool we all use, Microsoft’s Sysinternals ProcessExplorer has an option we all have used to hide the Microsoft signed files to make it easier to see an obvious bad processes. Dridex exploits this typical behavior by analysts to hide among the known good.
It is important to note that we designed LOG-MD to see these cases since WHERE the file is located can be a BIG clue, even if it is a real and signed MS binary
Morphs on reboot - The DLL changes its hash on each reboot and the .EXE changes as well and the DLL named changed to what will work for that .exe. So chasing hashes is a waste of time. What you have hash wise is not what the rest of us will have.
5. Uses a valid trusted MS signed binary to launch the Bad DLL, which is named for a correct DLL that is needed by the launcher (GamePanel.exe, UxTheme.dll, CameraSettingsUIHost.exe, DUI70.dll, etc.)
6. Autoruns are a .lnk file in the users Startup folder and a Scheduled Task pointing to another version
7. Files are found in:
%windir%\System32\5_Char_random_name
%AppData%\5_Char_random_name
8. Uses SVCHost.exe to phone home and communicate
9. Opens a hole for Explorer in the Windows Firewall
Site-Worthy
Guest - David Longenecker
https://attack.mitre.org/wiki/Main_Page - Adversarial Tactics, Techniques & Common Knowledge. A repository of things for which to ask yourself, "would I detect this? Would it set off any alarms?"
https://jpcertcc.github.io/ToolAnalysisResultSheet/ - dozens of tools and exploitation techniques, with detailed artifacts generated by those actions. Again, a great resource for asking "how would I detect this?"
Tool-Worthy
LOG-MD
Guest - David Longenecker
https://blog.didierstevens.com/my-software/ - Didier writes lots of handy tools useful for forensics and IR. I use his pdf tools (https://blog.didierstevens.com/programs/pdf-tools/) a fair bit for inspecting suspicious attachments; rtfdump and oledump seem to do the same for OLE and RTF files.
Topic of the Day
Windows Logging, Who, What, Where, When, Why
Why is logging important?
Incident took place...what happened? I don’t know!
Research / hunting.
Alerts
Windows Default logging
Some of the improvements since XP
Default is painfully bad, so at minimum set the following
4688
5156
PowerShell
CMD Line Logging
Make checks for
Where does one start to improve logging
Industry Standards
Cheat Sheet(s)
Gaps in the industry standards
Why are they inadequate
Log configurations/properties
Log Sizes
FIFO
Centralized / forwarded vs. Local logging
Why some things shouldn’t be forwarded
Log “nice-to-haves” locally (it won’t kill the box -Microsoft Article)
What tools can you use to collect local logs?
Wevtutil
PowerShell
LOG-MD
Filtering logs on the endpoint
3rd party logging utilities
Sysmon
WLS
10. Advanced Logging
NEW - The Windows Advanced Logging Cheat Sheet
11. Log Attacks
Clear the logs
Stop the logging service
Change size to 1k
-----------------------------------------------------------------------------------------------