BDIR Podcast Episode-002

TOPIC: Windows Logging: Who, What, Where, When, Why

OUR GUEST WILL BE:

         David Longenecker - InfoSec Practitioner

  • Twitter: @dnlongen

  • Blog: SecurityForRealPeople.com

  • GitHub - https://github.com/dnlongen

News-Worthy - City of Atlanta hit with ransomware, services taken offline

  1. Atlanta Working 'Around The Clock' To Fight Off Ransomware Attack

    1. “Mayor (Keisha Lance Bottoms) told reporters that cybersecurity is now a top priority for the city.”

    2. “Wi-Fi at Hartsfield-Jackson Atlanta International Airport has been shut down as a precaution”

  2. Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand

    1. “SecureWorks and the city's incident response team are working with law enforcement, including the FBI, Homeland Security and the Secret Service, as well as independent forensics experts and educational partners like Georgia Tech, to determine exactly what happened.”

    2. “I am looking forward to us really being a national model of how cities can shore themselves up and be stronger because of it.” mayor said regarding digital infrastructure

  3. http://malwarejake.blogspot.com/2018/03/atlanta-government-was-compromised-in.html

  4. https://www.tripwire.com/state-of-security/latest-security-news/atlanta-struggling-to-recover-from-ransomware-infection-days-after-attack/

  5. https://www.csoonline.com/article/3264654/security/atlanta-officials-still-working-around-the-clock-to-resolve-ransomware-attack.html

Malware of the Month

Dridex - Artifacts

  1. This came in an email with a URL that auto downloaded and installed the malware, but could be a drive-by as well.

  2. Since Dridex uses actual signed Microsoft binaries located in a different directory (not System32), sideloading is easy, it just has to be named after one of the Dlls that the binary actual needs in the same folder that is usually, and should be located in System32

  3. This method has been making the Con circuit talks as many tools miss or exclude known good Microsoft signed binaries as “Good”. A popular tool we all use, Microsoft’s Sysinternals ProcessExplorer has an option we all have used to hide the Microsoft signed files to make it easier to see an obvious bad processes. Dridex exploits this typical behavior by analysts to hide among the known good.

    1. It is important to note that we designed LOG-MD to see these cases since WHERE the file is located can be a BIG clue, even if it is a real and signed MS binary

  4. Morphs on reboot - The DLL changes its hash on each reboot and the .EXE changes as well and the DLL named changed to what will work for that .exe. So chasing hashes is a waste of time. What you have hash wise is not what the rest of us will have.

Dridex_Morphed_Samples.JPG

 

5. Uses a valid trusted MS signed binary to launch the Bad DLL, which is named for a correct DLL that is needed by the launcher (GamePanel.exe, UxTheme.dll, CameraSettingsUIHost.exe, DUI70.dll, etc.)

6. Autoruns are a .lnk file in the users Startup folder and a Scheduled Task pointing to another version

7. Files are found in:

  • %windir%\System32\5_Char_random_name

  • %AppData%\5_Char_random_name

8. Uses SVCHost.exe to phone home and communicate

9. Opens a hole for Explorer in the Windows Firewall

Site-Worthy

  1. www.MalwareArchaeology.com\cheat-sheets

  2. https://www.cisecurity.org/cis-benchmarks/

  3. Guest - David Longenecker

    1. https://attack.mitre.org/wiki/Main_Page - Adversarial Tactics, Techniques & Common Knowledge. A repository of things for which to ask yourself, "would I detect this? Would it set off any alarms?"

    2. https://jpcertcc.github.io/ToolAnalysisResultSheet/ - dozens of tools and exploitation techniques, with detailed artifacts generated by those actions. Again, a great resource for asking "how would I detect this?"

Tool-Worthy

  1. LOG-MD

  2. Guest - David Longenecker

    1. https://blog.didierstevens.com/my-software/ - Didier writes lots of handy tools useful for forensics and IR. I use his pdf tools (https://blog.didierstevens.com/programs/pdf-tools/) a fair bit for inspecting suspicious attachments; rtfdump and oledump seem to do the same for OLE and RTF files.

Topic of the Day

Windows Logging, Who, What, Where, When, Why

  1. Why is logging important?

    1. Incident took place...what happened?  I don’t know!

    2. Research / hunting.

    3. Alerts

  2. Windows Default logging

    1. Some of the improvements since XP

    2. Default is painfully bad, so at minimum set the following

      1. 4688

      2. 5156

      3. PowerShell

      4. CMD Line Logging

    3. Make checks for

  3. Where does one start to improve logging

    1. Industry Standards

    2. Cheat Sheet(s)

  4. Gaps in the industry standards

    1. Why are they inadequate

  5. Log configurations/properties

    1. Log Sizes

    2. FIFO

  6. Centralized / forwarded vs. Local logging

    1. Why some things shouldn’t be forwarded

    2. Log “nice-to-haves” locally (it won’t kill the box -Microsoft Article)

  7. What tools can you use to collect local logs?

    1. Wevtutil

    2. PowerShell

    3. LOG-MD

  8. Filtering logs on the endpoint

  9. 3rd party logging utilities

    1. Sysmon

    2. WLS

10. Advanced Logging

  • NEW - The Windows Advanced Logging Cheat Sheet

11. Log Attacks

  • Clear the logs

  • Stop the logging service

  • Change size to 1k

-----------------------------------------------------------------------------------------------