CQURE Academy

MASTERCLASS: SYSTEM FORENSICS AND INCIDENT

HANDLING
Paula Januszkiewicz
CQURE: CEO, Penetration Tester; Cybersecurity Expert
CQURE Academy: Trainer
MVP: Enterprise Security, MCT
Microsoft Regional Director
www.cqureacademy.com
paula@cqure.us

@paulacqure
@CQUREAcademy
CONSULTING
Agenda
08:00 – 08:30 Coffee & Croissant
08:30 – 10:00 Session 1
10:00 – 10:15 Coffee break
10:15 – 12:00 Session 2
12:15 – 13:00 Lunch
13:00 – 14:20 Session 3
14:20 – 14:35 Coffee break
14:35 – 15:45 Session 4
15:45 – 16:00 Wrap Up & Closing
What was your score in our Windows Security QUIZ - share
in the comment section!
CQURE Profile

We are a Team of Security Passionates

Knowledge and passion drives us
Always flexible, open for changes and new technologies

Each Team member has at least 10 years of experience

Everyone is security minded
Everyone is a consultant
Everyone delivers penetration test

We have hundreds of penetration tests done

Each Customer was satisfied!
What does CQURE Team do?
Consulting services Trainings
→ High quality penetration tests with useful reports → Security Awareness trainings for executives
Applications
Websites → CQURE Academy: over 40 advanced security
External services (edge) trainings for IT Teams
Internal services
+ configuration reviews → Certificates and exams

→ Incident response emergency services → Delivered all around the world only by a CQURE
– immediate reaction! Team: training authors

→ Security architecture and design advisory

→ Forensics investigation

→ Security awareness
info@cqure.us
For management and employees
Module 01: Introduction to
Incident Response Handling

@paulacqure
@CQUREAcademy
CONSULTING
Standardisation bodies
▪ ISO/IEC - Wide scope of coverage, focusing on standardization, more general framework
▪ IETF – Focuses on Internet related technical Security requirements
▪ NIST-CSRC (http://www.nist.gov/) – Wide scope of coverage for both government and enterprise needs. Many
relevant documents that can be leveraged
▪ OASIS (http://www.oasis-open.org/) - Application Vulnerability Description Language (AVDL)
▪ OGSF (Open Group Security Forum, http://www.opengroup.org/security/) - specifications, tools, guidelines and
best practices for businesses, responsibilities, liabilities and trust relationships; started Intrusion Attack and
Response Workshop
▪ Best practices and recommendations
▪ CERT/CC (http://www.cert.org/) – a center of Internet security expertise; recommendations, advisories,
practices, research
▪ SANS (System Administration, Networking, and Security) Institute –http://www.sans.org/, focuses on SysAdmin,
Audit, Network, and Security research and education.
▪ ISACA (http://www.isaca.org/) – Most noted for CoBIT, provides a comprehensive framework for IT
Governance, including security
▪ ISSA (http://www.issa.org/) – comprehensive coverage of security issues and solutions for InfoSec practitioners,
GAISP (Generally Accepted Information Security Principles)
Why is it Important?
▪ Sooner or later an incident is going to occur
▪ Do you know what to do?

▪ It is not a matter of IF but WHEN

▪ Planning is everything
▪ Similar to backups
▪ You might not use it every day, but if a major problem occurs you are
going to be glad that you did
What is an Incident?
▪ An INCIDENT is an adverse event in an information system, and/or network,
or the threat of the occurrence of such an event

▪ Incident implies harm, or the attempt to do harm

▪ The fact that an incident has occurred may mean a law has been broken
Incidents
▪ Definition
▪ A violation or imminent threat of violation of computer security policies,
acceptable use policies, or standard security practices

▪ Examples
▪ Denial of service attack causes web server to crash
▪ Malware installed from a phishing attack infects user computers and establishes
connections with an external host
▪ An attacker obtains sensitive data and demands ransom from your CEO to prevent
release
▪ Sensitive information from your company is being disseminated through peer-to-
peer file sharing services
Types of Incidents
▪ Bombings, Explosions
▪ Earthquakes, Fires, Floods
▪ Power outages, Storms
▪ Hardware/software failures
▪ Strikes, Employees unavailable
▪ Hazard material spills
▪ Cyber-theft, Intellectual property theft
▪ Viruses, worms or other malicious software
▪ Unauthorized use
▪ Intrusions, Internal or external attack
▪ Denial of Service
What is an Event?
▪ An .event. is any observable occurrence in a system
and/or network.
▪ Examples of events include:
▪ System boot sequence
▪ System crash
▪ Packet flooding within a network

▪ These observable events compose an incident

▪ All incidents are composed of events, but not all
events are incidents
Examples of an Incident
Which of the following is an incident ?
1. An attacker running NetBIOS scans against a UNIX system
2. An attacker exploiting Sendmail on a UNIX system
3. A backup containing sensitive information is missing
Incidents – contd.
▪ Incidents would not happen if
▪ We had infinite security budgets, and
▪ We had infinitely capable security personnel

▪ However, things can go wrong

▪ In spite of your best attempts
▪ We call them incidents

▪ Useful to develop standard procedures to respond to

incidents
▪ And refine these procedures based on experience
▪ Typical business process improvement exercise
Module 02: System and Network
Security Mechanisms

@paulacqure
@CQUREAcademy
CONSULTING
 SECURED SECURED
DEFENDING DEVICES IDENTITIES

AGAINST MODERN
SECURITY THREATS
THREAT INFORMATION
RESISTANCE PROTECTION
Operating System Accountability
Areas of Focus

Problem:
Too much information to control

Solution:
Select areas with high probability of infection
DLLs
Services
Executables
Drivers

This attitude works as a first step

Incorrect Access Control
Services
▪ When used as a part of software that was not installed in %systemroot% or %programfiles%
▪ Installed in a folder with inappropriate ACLs

Permissions
▪ Should be audited
▪ Should be set up as a part of NTFS, not as a part of shares

BackupRead / BackupWrite
▪ Copy operation that is more important than ACLs
▪ Used by backup software
Best Practices for File Permissions

➔ Assign permissions to groups rather than to users

➔ Deny permissions should be used for certain special cases
➔ Use security templates
➔ If possible, avoid changing the default permission entries
on file system objects, particularly on system folders and root
folders
➔ Never deny the Everyone group access to an object
Best Practices for File Permissions

➔ Assign permissions to an object as high on the tree as

possible and then apply inheritance to propagate the security
settings through the tree
➔ Privileges can sometimes override permissions
➔ For permissions on Active Directory objects, make sure you
understand the best practices specific to Active Directory
objects
Best Practices for AD Permissions
➔ If possible, avoid changing the default permissions on AD objects
➔ Avoid granting Full Control permissions over an object or
organizational unit
➔ Minimize the number of access control entries that apply to child
objects
➔ When possible, assign the same set of permissions to multiple objects
➔Whenever possible, assign permissions to groups rather than users
Best Practices for AD Permissions

➔ When possible, assign access rights on a broad level

rather than assigning individual user rights:
▪ Minimizing the number of access control entries will improve performance
▪ Allow "Read All Properties" or "Write All Properties" rather than individual properties
▪ Allow Read or Write access to property sets rather than individual properties
▪ A property set is a collection of attributes. For example, the Personal Information property set includes the
attribute's address, personal title, and so on. By setting access on the property set, you have automatically
set access on all the attributes contained in that property set
▪ Allow "Create All Child Objects" or "Delete All Child Objects," rather than specifying individual child objects
▪ Allow "All Extended Rights" rather than allowing the individual extended rights
▪ Allow "All Validated Writes" rather than allowing the individual validated rights
Privilege Escalation
▪ Most users run as local administrators
▪ Malware has the same privilege
▪ Malware uses privilege escalation for those that don't
▪ Exploit vulnerable code to obtain administrator privileges
▪ Many malware frameworks include such exploits (e.g. http://www.metasploit.com/)
▪ Access to restricted calls such as TerminateProcess and CreateRemoteThread
Use SeDebugPrivilege
▪ Modify security token of a process using
AdjustTokenPrivileges to obtain
▪ Initially used as a tool for system-level debugging
▪ Malware exploits it to gain full access
▪ Call to OpenProcessToken, LookupPrivilegeValueA to retrieve the locally unique
identifier (LUID)
▪ Call to AdjustTokenPrivileges
▪ NewState is set to SE_PREVILEGE_ENABLED.
Details of the bootkey

HKLM\SECURITY\Policy\Secrets

HKLM\SECURITY\Cache
HKLM\SECURITY\Policy\Secrets

Bootkey consists of class names for keys from:

HKLM\SYSTEM\CCS\Control\Lsa
Windows most often uses following algorithms

AES256-CBC (data encryption)

AES256-CCM (BitLocker)
AES256-GCM (DPAPI blobs)
AES128-ECB (BitLocker)
AES256-XTS (BitLocker)
RC4
MD4, MD5, SHA*
DES, 3DES
RSA 1024, RSA 2048 (used more often)
Secret agreement: Diffie-Hellman

DPAPI-NG:
Key derivation: SP800_108_CTR_HMAC (SHA512),
KDF_SP80056A_CONCAT (client)
Chasing the obvious: NTDS.DIT, SAM

The above means:

To read the clear text password you need to struggle!
Getting the: Hash
SAM
1. bootkey: classes from HKLM\SYSTEM\CCS\Control\Lsa +
[class names for: Data, GBG, JD, Skew1] (+arrays’
permutations)
2. F: HKLM\SAM\SAM\Domains\Account\ [F – value] string
aqwerty =
“!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\0”;
string anum =
“0123456789012345678901234567890123456789\0”;
3. rchbootkey: MD5(string created after arytmetic
functions with F, aqwerty, anum, bootkey)
4. hbootkey: RC4(key, data) -> RC4(rchbootkey, F)
5. MD5(…,hbootkey,…) -> RC4(…)-> DES(…, F) to get the
hash (MD4)
Services
Store configuration in the registry
Always need some identity to run the executable!

Local Security Authority (LSA) Secrets

Must be stored locally, especially when domain credentials are used
Can be accessed when we impersonate to Local System

Their accounts should be monitored

If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention)

Conclusion: Think twice before using an Administrative account, use gMSA

Getting the: service account secrets
1. bootkey: klasy z HKLM\SYSTEM\CCS\Control\Lsa + [class names
for: Data, GBG, JD, Skew1] (+permutacje tablic)
int[] permutationBootKey = new int[] { 0x8, 0x5, 0x4, 0x2,
0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 };
2. PolEKList: HKLM\SECURITY\Policy\PolEKList [default value]
3. lsakey: AES_DECRYPT(key, data) -> AES(bootkey, PolEKList)
4. NL$KM secret: HKLM\SECURITY\Policy\Secrets\NL$KM
5. nlkm_decrypted: AES_DECRYPT(lsakey, NL$KM secret)
What is the most successful
path for the attack right now?
THE ANATOMY OF AN ATTACK

:)
Healthy User Receives User Lured to Device
Computer Email Malicious Site Infected with
Malware
 :)
Healthy User Receives User Lured
HelpDesk Logsto Device
Identity Stolen,
Computer Email Malicious Site
into Device Infected Has
Attacker with
Malware
Increased Privs
ceives User Lured to Device HelpDesk Logs Identity Stolen,
il Malicious Site Infected with into Device Attacker Has
Malware Increased Privs
“PASS THE HASH”
ATTACKS
Today’s security challenge
 TODAY’S
SECURITY
CHALLENGE

PASS THE HASH

ATTACKS
PASS THE HASH TECHNIQUE

Fred’s Laptop Sue’s Laptop File Server

Fred’s User Session Sue’s User Session
User: Fred 2 User: Sue
Password hash: A3D7… Password hash: C9DF…

Malware Session User: Adm... Malware User Session User: Sue

User: Administrator Hash:E1977 User: Adm… User: Sue Hash:C9DF
Password hash: E1977… Hash: E1977 Hash: C9DF
1 3 4

1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR

2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER
3. MALWARE INFECTS SUE’S LAPTOP AS FRED
4. MALWARE INFECTS FILE SERVER AS SUE
 VSM uses Hyper-V powered secure
execution environment to protect
derived credentials – you can get
things in but can’t get things out

P-T-H SOLUTION Decouples NTLM hash from

logon secret

Fully randomizes and manages full

PASS THE HASH length NTLM hash to prevent brute
force attack
ATTACKS
Derived credentials that VSM
protected LSA Service gives to
Windows are non-replayable
 VSM isolates sensitive Windows
processes in a hardware based Hyper-V
container
Virtualization
VSM runs the Windows Kernel and a
VIRTUAL SECURE MODE (VSM) series of Trustlets (Processes) within it

VSM protects VSM kernel and Trustlets

even if Windows Kernel is fully
compromised

Requires processor virtualization

extensions (e.g.: VT-X, VT-D)
Virtual Secure Mode

Code Integrity
Apps
Local Security
Auth Service

Hyper-Visor
Virtual TPM

Kernel

Virtual Secure Mode (VSM)

Windows
Hypervisor

Hardware
Windows 10:
Local Account
Windows 10:
Domain Account
How to enable VSM?
1. Enable Secure Boot and UEFI in BIOS, enable TPM
How to enable VSM?
2. Configure Windows 10: join the machine to the
domain (VSM only protects domain credentials)
3. Install the Hyper-V feature in Windows 10
4. Configure the BCD in Windows 10 to start VSM:
bcdedit /set vsmlaunchtype auto
How to enable VSM?
5. Enable the Virtual Secure
Mode (VSM) GPO setting:
Computer Configuration/
Administrative Templates/
System/
Device Guard/
Turn on Virtualization Based
Security
…and reboot the machine
VSM Enabled Windows 10:
VSM Enabled
SMB Relay

Set SPNs for services to avoid NTLM:

SetSPN –L <your service account for AGPM/SQL/Exch/Custom>
SetSPN –A Servicename/FQDN of hostname/FQDN of domain domain\
Reconsider using Kerberos authentication all over
https://technet.microsoft.com/en-us/library/jj865668.aspx

Require SPN target name validation

Microsoft network server: Server SPN target name validat
Reconsider turning on SMB Signing
SMB2/3 client and SMB2/3 server signing settings

Setting Group Policy Setting Registry Key

Required * Digitally sign communications (always) – RequireSecuritySignature = 1
Enabled
Not Required ** Digitally sign communications (always) – RequireSecuritySignature = 0
Disabled
* The default setting for signing on a Domain Controller (defined via Group Policy) is “Required”.
** The default setting for signing on SMB2 Servers and SMB Clients is “Not Required”.

Effective behavior for SMB2/3:

Server – Required Server – Not Required
Client – Required Signed Signed
Client – Not Required Signed* Not Signed**
* Default for Domain Controller SMB traffic.
** Default for all other SMB traffic.
IIS Structure
IIS Configuration
In contrast to the earlier IIS versions, IIS 10.0 is set to use two new Cryptography API: Next
Generation (CNG) providers by default:
IISWASOnlyCngProvider and IISCngProvider. We still have: IISWASOnlyRsaProvider, AesProvider,
IISWasOnlyAesProvider and RsaProtectedConfigurationProvider, DataProtectionConfigurationProvider
CNG stores shared private keys in the %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys\

Worker Processes (w3wp.exe)

Their identity is defined in Application Pool settings
Are managed by Windows Process Activation Service that knows how to read secrets

Passwords for AppPool identity can be ’decrypted’ even offline

They are stored in the encrypted form in applicationHost.config

Conclusion: IIS relies it’s security on Machine Keys (Local System)

IIS Logs
▪ Default logs are plain text in W3C Extended log file
format
▪ Logs stored in LogFiles\W3SVCx
▪ Easily parsed with text parsing tools or with LogParser
▪ Log files can capture cookies and referrer headers
▪ Still missing key HTTP POST data
IIS – Logged by Default
▪ Date / Time
▪ Client IP
▪ Server Info
▪ HTTP Method
▪ URL and Parameters
▪ HTTP Status Code
▪ User Agent
IIS 6.0 – Not Logged by Default
Can be enabled:
▪ Transfer Sizes
▪ Host Header
▪ Cookies
▪ Referrer
Not even an option…
▪ POST Data
Why Do We Care About POST Data?
▪ Much of the user input to a web application is passed
to the server as POST parameters
▪ Manipulating these parameters is the prime
mechanism for attacking an application
▪ POST data logging provides insight into such attacks
▪ POST data is necessary to perform an accurate
damage assessment
Referrer Header
▪ What is the Referrer Header?
▪ Referrer headers are an indicator of browsing flow
▪ Can be used to identify abnormal browsing trends
that may be indicative of an attack
▪ Not a reliable measure
▪ Referrer spoofing is easy and results in false positives
Apache Web Server Logs
▪ Log format and locations are highly customizable
▪ Log configuration set in httpd.conf
▪ Access log – records all requests
▪ access.log on Windows, access_log on Unix

▪ Error log – holds diagnostic and error messages

▪ error.log / error_log

▪ Some modules have their own logs:

▪ rewrite.log
Apache Logs – Default Access Log
▪ LogFormat "%h %l %u %t \"%r\" %>s %b"
▪ Remote Host
▪ Remote logname (from identd)
▪ Remote user (from HTTP authentication)
▪ Time
▪ First line of request
▪ Status
▪ Bytes sent

▪ mod_log_config can used to enhance Apache

logging to capture additional fields
Summary: Actively Monitor Your Servers
Module 03: Incident Response and
Handling Steps

@paulacqure
@CQUREAcademy
CONSULTING
Incident handling
▪ Overall process similar for most incidents
▪ With minor incident-specific variations

▪ Described in NIST 800-61 Preparation

▪ Preparation
▪ Detection and Analysis Detection
▪ Containment Containment
▪ Eradication
▪ Recovery
Eradication
▪ Post-Incident Analysis (Follow-up) Recovery
Follow-up
Key elements in a cyber security incident management capability
Preparation
▪ First step in creating an incident response plan

▪ Not an enumeration process

▪ Listing all possible threat scenarios
▪ And appropriate response to each of these scenarios

▪ More productive
▪ Identify basic steps common to all events
▪ Plan execution of each of these steps
Incident preparation components
▪ Peacetime activity
▪ Incident response policy
▪ Incident response team
▪ Supporting team
▪ Incident communication
▪ Compliance
▪ Hardware and software
▪ Training
Incident response policy
▪ Description of standard methods used by
organization for handling information Security
Incidents
▪ Benefits of policy
▪ Helps focus on incident as a whole, from start to finish
▪ Without getting diverted by media and organizational pressures
▪ Discussions provide management with understanding of issues they may have to
deal with during an actual incident
▪ Impacts of planned controls can be assessed by stakeholders
▪ May not be anticipated by IT team
▪ Reassurance for users
Incident response team
▪ Staff designated to respond to incidents
▪ Develop experience over time about expectations of organization during incidents
▪ Often cross-departmental
▪ Managers have to spare IRT members when needed

▪ Responsibilities
▪ Quickly identifying threats to the campus data infrastructure
▪ Assessing the level of risk
▪ Taking immediate steps to mitigate risks
▪ Notifying management of the event and associated risk
▪ Notifying local personnel of any incident involving their resources
▪ Issuing a final report as needed, including lessons learned

▪ Roles of each member of the IRT must be part of the incident

response policy
▪ A large organization may need multiple IRTs
▪ One within each division of the organization
▪ A central group decided when events start crossing boundaries of the affected division
Incident response team
▪ Roles of each member of the IRT must be part of the
incident response policy

▪ A large organization may need multiple IRTs

▪ One within each division of the organization
▪ A central group decided when events start crossing boundaries of the affected
division
Incident response team composition
▪ The IRT will have one chair, usually a senior security
analyst
▪ Coordinates with external stakeholders
▪ Helps other IRT members to perform their functions
▪ Needs high credibility within the organization
▪ For competence
▪ Excellent communication skills, both oral and in writing
▪ Enough technical background to understand the situation
▪ Judgment to make split second, educated decisions based on the status updates
Incident response team composition
▪ Technical members of IRT selected depending on the
threat action, e.g.
▪ If an Oracle database was breached due to a compromised administrator account
on the Operating System, the IRT may include the following members
▪ A person familiar with the OS to look at the OS system and logs
▪ A Database Administrator to examine Oracle database, contents, and logs
▪ Try to determine if anything was altered.
▪ A Network Engineer to review firewall and/or netflow logs observe any unusual traffic
▪ Desktop Services personnel if desktop machines facilitated the attack
Supporting team
▪ Communication is an important aspect of the duties of the IRT
▪ Extreme interest among different constituencies for information
▪ Potentially conflicting needs
▪ Often not enough information for satisfactory response

▪ Resist temptation of conveying speculation as informed “expert”

opinion
▪ Need-to-know principle
▪ People only provided information necessary to perform their job

▪ In communication with general public, supporting team advisable

▪ Media Relations has the know-how and experience on dealing with media
▪ Legal Counsel can verify federal or state disclosure laws
▪ Unintended disclosure may have severe financial and public relation consequences
▪ Law Enforcement for government cover and credibility

▪ Minimize rumor-mongering, ill-informed publicity and general

disorder
Incident communications
▪ Inbound communications
▪ Information about occurrence of incident

▪ Outbound communications
▪ Notifications to affected people

• IT Personnel
• Direct • Management

Report
•
•
Anonymous
Help Desk
IRT Outbound
•
•
End Users
Compliance
• Self Audit Related
• Media
Inbound communications
▪ Direct Report
▪ Asset owner or custodian may report the incident
▪ E.g. observing unusual computer behavior

▪ Anonymous Report
▪ Web forms to report an issue anonymously without fear of reprisal
▪ E.g. Allegations that a high ranking University official is printing pornographic material on University printers
▪ Public relations risk, sexual harassment lawsuits

▪ Help Desk
▪ Problem resolution may reveal problems
▪ E.g. misconfiguration of shared network drives

▪ Self-Audit
▪ Periodical vulnerability assessment and log analysis may identify breaches
▪ E.g. a forgotten FTP process
▪ Being used as a mp3 file server
Outbound communications
▪ Affected people are curious
▪ IT Personnel and the IT Help Desk
▪ Users quickly overwhelm Help Desk when essential assets are affected
▪ Immediate updates to remove exploited vulnerability

▪ Inform managers and other executives periodically

▪ Even if nothing has changed
▪ Prevents distracting phone calls to engineers working on containment and eradication of the problem
▪ Quick text messages and brief email messages with status updates are adequate

▪ End Users and Customers

▪ Get very edgy when they don’t know what is going on
▪ 2 questions
▪ When will the system be back
▪ What happened
Compliance
▪ Act of following applicable laws, regulations, rules, industry codes and
contractual obligations
▪ Ideally, best-practices developed to avoid well-known past mistakes
▪ In practice, often important mainly because non-compliance leads to avoidable penalties

▪ Need to comply with incident response requirements applicable to

your context
▪ Example
▪ Federal Information Security Management Act (FISMA)
▪ Requires Federal agencies to establish incident response capabilities
▪ Each Federal civilian agency must designate a primary and secondary point of contact with US-CERT
▪ United States Computer Emergency Readiness Team
▪ Report all incidents consistent with the agency’s incident response policy
▪ When known or suspected loss, theft or compromise of PII (personally identifiable information) involving US Navy
systems occurs, the Department of the Navy is required to
▪ Use OPNAV Form 5211/13 to make initial and follow up reports
▪ Send form US-CERT within 1 hour of discovering a breach has occurred
▪ Report to the DON CIO Privacy Office within 1 hour
▪ Report to the Defense Privacy Office
▪ Report to Navy, USMC, BUMED chain of command, as applicable
Hardware and software
▪ To be effective, IRT needs appropriate tools
▪ Sampling of the hardware and software recommended by NIST
800-61 for incident response includes
▪ Backup devices to create disk images or other incident data
▪ Laptops for gathering, analyzing data, and writing reports
▪ Spare computer hardware for “crash and burn” purposes, such as trying out malware and other
payload found and considered “unknown.”
▪ Packet analyzers to capture and analyze network traffic
▪ Digital forensics software to recover erased data, analyze Modified, Access, and Creation (MAC)
timelines, log analysis, etc. (e.g. Figure 3)
▪ Evidence gathering accessories such as digital cameras, audio recorders, chain of custody forms etc

▪ Search engines are very useful

▪ Log snippet or FTP banner may reveal valuable information
▪ Location of log files, configuration files, and other important clues
▪ Helps the security team to build a more complete timeline for the event
Training
▪ Awareness of a baseline set of information on all aspects
of security, e.g.
▪ Access Control
▪ Telecommunications and Network Security
▪ Information Security Governance and Risk Management
▪ Software Development Cryptography
▪ Security Architecture and Design
▪ Security Operations
▪ Business Continuity and Disaster Recovery Planning
▪ Legal, Regulations, Investigations and Compliance
▪ Physical (Environmental) Security

▪ Other facets of training

▪ Media Relations
Preparation
▪ Policy ▪
▪ People ▪
▪ Data ▪
▪ Software/Hardware ▪
▪ Communication
▪ Supplies

The goal of preparation is to get your team ready to handle incidents

Detection and analysis
▪ Documentation
▪ Record for organizational memory
▪ Facilitate post-incident analysis to improve response process

▪ Detection methods
▪ Use prior preparation to detect ongoing incidents

▪ Analysis
▪ Identify damage

Overview in this chapter

Details in next chapter
Incident documentation
▪ NIST recommendations for minimal information
▪ Current status of the incident
▪ New, in progress, forwarded for investigation, resolved, etc.
▪ Summary of the incident
▪ Indicators related to the incident
▪ Other incidents related to this incident
▪ Actions taken by all incident handlers on this incident
▪ Chain of custody, if applicable
▪ Impact assessments related to the incident
▪ Contact information for other involved parties
▪ e.g., system owners, system administrators
▪ List of evidence gathered during the incident investigation
▪ Comments from incident handlers
▪ Next steps to be taken
▪ e.g., rebuild the host, upgrade an application
Detection methods
▪ Visible changes to services
▪ E.g. web site defacement

▪ Performance monitoring
▪ E.g. excessively slow computer performance

▪ PII monitoring
▪ E.g. Google alerts
▪ www.google.com/alerts

▪ File integrity monitoring

▪ Host based IDS tools
▪ E.g. OSSEC
Detection methods
▪ Anonymous report
▪ Log analysis
▪ E.g. /var/log/messages

▪ End point protection alerts

▪ E.g. malware protection, host IDS functionality

▪ Internal investigations
▪ E.g. Internal audit
Analysis
▪ Begins with incident detection
▪ Discover all adverse events that compose the incident
▪ Manage the next phase of the cycle
▪ Containment and Eradication
▪ Want to avoid containment without analysis

▪ Internet Search Engines are very helpful during analysis

▪ FTP banners, port numbers on botnets can be searched
▪ Perspective of other experts who have faced this situation before

▪ Identify stakeholders
▪ Identify restricted or essential assets affected by incident
▪ Primary targets for protection and eradication
Incident containment, eradication and recovery
▪ Containment
▪ The act of preventing the expansion of harm
▪ Typically involves disconnecting affected computers from the network
▪ May involve temporary shutdown of services
▪ Hence needs careful thought

▪ Sometimes containment is necessary before analysis is

completed
▪ If the analyst is confident that ongoing events merit action
▪ And/or determines that risk to assets is too high for events to continue
▪ Largely determined by the experience of IRT members
▪ Along with input from management, if possible
▪ E.g.
▪ A backdoor is being used to actively transfer PII to off-campus hosts
▪ Network connection should be broken as soon as possible
▪ Thereafter, the backdoor can be handled
▪ E.g. through network ACLs, firewalls, or actual removal of the backdoor from the server
Incident containment, eradication and recovery
▪ Important to get stakeholder input to the extent
possible
▪ Prevents other incidents
▪ E.g. disconnecting HR systems to finish removing malware
▪ May interrupt payroll processing if performed at the wrong time

▪ Other judgment calls during containment

▪ Do you want to sit back and observe hacker behavior?
▪ Need to judge potential amount of damage to assets from delayed containment
Incident containment, eradication and recovery
▪ IRT members and administrators have to be careful
when pulling plug on hackers
▪ Hackers can get destructive when found out
▪ Remove all local logging information that may lead to their capture, in an effort to cover their
tracks
▪ Database administrators may set up traps to totally destroy database and all contained data
▪ FBI sting operations against hackers
▪ Forcibly and speedily remove individuals from keyboards and other input devices
▪ Minimizes possibility that hackers might initiate scripts to destroy assets and evidence
▪ E.g. Finale in Kingpin
▪ Max Butler example case
Incident containment, eradication and recovery
timeline

Contain Eradicate

Incident Analysis Timeline

Post-incident analysis
▪ Prepare for the next incident
▪ IRT members gather their notes and finalize their documentation

▪ Documentation should contain all individual adverse events

involved in the incident
▪ Together with time stamps and assets involved
▪ As well as
▪ Indicate areas of the organization involved in the accident and resulting breach
▪ How threats were handled individually by each department and together under the coordination of the IRT
▪ Extent to which existing procedures were appropriate to handle the issues
▪ Opportunities for improvement
▪ Extent to which assets were appropriately identified and classified
▪ So that IRT could make quick judgment calls as situation evolved
▪ Extent to which information sharing with stakeholders was done satisfactorily
▪ Opportunities for preemptive detection to avoid similar issues from happening
▪ Technical measures necessary to be taken to avoid similar issues in the future
Disaster
▪ Calamitous incident that causes great destruction
▪ Has huge repercussion throughout the whole organization
▪ Involves multiple sub-incidents

▪ Disaster Recovery (DR)

▪ Process adopted by the IT organization in order to bring systems back up and
running
▪ Primary objective
▪ Keep employees and their families safe
▪ Implementation should avoid hazardous situations
▪ May involve moving operations to a redundant site, recovering services and data
▪ Extremely complex process
▪ Usually tackled by individuals with years of experience in the organization
Disaster – contd.
▪ USF example
▪ In 2002, hardware failure caused all 30,000 student email accounts to be lost

▪ DR plan called for re-creation of all student email accounts

▪ Initially empty
▪ But would allow students to start sending and receiving emails
▪ Subsequently, all mailbox data was extracted from tape and restored to the users’ mailboxes

▪ Entire DR process took about 3 weeks

Disaster – contd.
▪ DR is a piece of the bigger picture
▪ Business Continuity Planning (BCP)

▪ Business continuity planning

▪ Process for maintaining operations under adverse conditions
▪ Planners contemplate what would happen in case of a disaster
▪ What would be minimally necessary to help the organization continue to operate in case of a disaster
▪ USF email example
▪ Continuity activities involved questions on how students would turn in assignments

▪ BCP and DR involve and are often led by entities other than IT
▪ HR may require all individuals to stay home in a hurricane level 4 or higher
▪ IT may need employees to physically be present to shut down machines
▪ Co-ordination between these groups will ensure that appropriate actions are performed
Disaster – contd.
▪ Business Impact Analysis (BIA)
▪ An important part of BCP
▪ Identification of services and products that are critical to the organization

▪ BIA is related to asset management

▪ Essential assets are those that directly support the services and products that
result from the BIA

▪ BIA dictates prioritization of the DR procedure

Disaster – contd.
▪ Preliminary DR checklist
▪ Call list
▪ Card-sized list of important phone numbers
▪ Plans to inform fellow employees if local phone systems are down
▪ Plans to sync backup and recovery at local and remote sites
▪ Which data should be restored first?
▪ Training for data restoration
▪ Are there instructions published somewhere?
▪ If the expectation is that someone will read a 100-page manual before initiating the restore, the
procedure must be simplified
▪ Are test restores done regularly?
▪ Tapes and other media go bad, get scratched, and become unreadable
▪ Are there means to acquire new hardware to quickly replace the hardware
damaged by the disaster?
▪ If cyber insurance is involved, does someone know the details on how to activate it?
Disaster – contd.
▪ In all likelihood, you will not get DR responsibilities in
the early part of your career
▪ Hence not covered in detail in this book

▪ Introduction to familiarize with some basic concepts

▪ Enable contribution to the process

Summary
▪ Identify the major components of dealing with an incident
▪ Understand the incident handling lifecycle
▪ Prepare a basic policy outlining a methodology for the handling
of an incident
▪ Report on the incident to improve preparation for a similar
incident in the future
▪ The elements of disaster recovery and business continuity
planning
Module 04: Handling Malicious
Code Incidents

@paulacqure
@CQUREAcademy
CONSULTING
Techniques for malware discovery

Signature-based

Behavior-based
Attempts to open, view, delete, and/or modify files
Attempts to format disk drives and other unrecoverable disk
operations
Modifications to the logic of executable files, scripts of macros
Modification of critical system settings, such as start-up settings
Scripting of e-mail and instant messaging clients to send
executable content
Initiation of network communications
1- Evasion Techniques Used by Malware

Wrapping
ttaches the malicious payload (the installer or the
malware itself) to a legitimate file.
2- Evasion Techniques Used by Malware
Reflective PE Loader
Custom code

User Mode Loaders

Executable is extracted and decrypted in memory
Code is loaded and executed dynamically
In Powershell.exe – not every module is embedded – they
can be created and loaded during the execution
In Win32API: Custom code mimics LoadLibrary()

Interesting: During the compilation, that’s what helps us:

CompilerParameters.CompilerOptions =
"/platform:x64";
3- Evasion Techniques Used by Malware
Scenario:

Firefox GET

Firefox RCE+payload

Connect 888

Victim
Remote session 888: download files
Attacker
Remote session 888: SCHTASKS: elevate, 777

Connect 777

Remote session 777: Infect WMI

Connect 666
Scenario 1: Techniques used
1.

2.

3.
Scenario 2: Techniques used
1.
2.
3.

4.
5.

6.
AMSI
Antimalware Scan Interface (AMSI)
It is a generic interface standard that allows applications and
services to integrate with any antimalware product

Techniques used
It supports a calling structure allowing for file and memory or
stream scanning, content source URL/IP reputation checks, and
other techniques

Allows correlation of events

The different fragments of a malicious payload can be associated to
reach a more informed decision, which would be much harder to
reach just by looking at those fragments in isolation.
Conclusions

1. The only cure is a _complete_

code execution prevention
2. Anti-Exploit solutions make a lot
of sense
3. Sysmon (absolutely!)
4. At the end it is a matter of
budged and price
5. Code execution prevention
solutions are often misconfigured
Module 05: Securing Monitoring
Operations

@paulacqure
@CQUREAcademy
CONSULTING
Windows Forensic Monitoring Limitations
▪

▪
▪
▪

▪
▪
▪
Sysinternals Sysmon (System Monitor)
▪
▪
▪
▪
▪
▪

▪
Sysmon Command-Line Usage
▪

▪
▪
▪

▪
▪

▪
Sample Sysmon Events (depends on version)
Category Event ID
Process Create 1
Process Terminated 5
Driver Loaded 6
Image Loaded 7
File Creation Time Changed 2
Network Connection 3
CreateRemoteThread 8
RawAccessRead* 9
Sysmon Service State Change 4
Error 255
Basic Configuration Options
▪

▪
Option Description
-h [SHA1] [MD5] [SHA256] [IMPHASH] [*] Hash algorithm(s)

-n [process,…] Logs network events

-l [process,…] Logs image load events
-- Restores default configuration (-c only)
Hashes and VirusTotal

▪
Advanced Configuration

▪
▪

sysmon -i -accepteula c:\SysmonConfig.xml

sysmon -c c:\SysmonConfig.xml
Event Tags
Tags
▪
ProcessCreate
▪ ProcessTerminate

▪ FileCreateTime

▪ NetworkConnect
DriverLoad
ImageLoad
CreateRemoteThread
<tag onmatch=“include”> RawAccessRead
<include filter/> <tag onmatch=“exclude”>
… <exclude filter/>
</tag> …
</tag>
Event Tags With No Filters
▪

▪
▪
▪

▪
▪
▪
Sysmon Architecture
▪
▪
▪

Sysmon
Sysmon (Cmd)
(Service)
User Mode

Kernel Mode

SysmonDrv
Advanced Filtering
▪
▪
▪ ConditionType
is
Is not
contains
excludes
begin with
end with
less than
more than
image
 ProcessCreate ProcessTerminate
Process Events UtcTime UtcTime
ProcessGuid ProcessGuid

▪ ProcessId ProcessId
Image Image
CommandLine
CurrentDirectory
User
▪
LogonGuid

▪ LogonId
TerminalSessionId
▪ IntegrityLevel
Hashes
ParentProcessGuid
ParentProcessId
ParentImage
ParentCommandLine
Image and Driver Loaded
▪
▪
▪ ImageLoaded
▪ UtcTime DriverLoaded
▪ ProcessGuid UtcTime
ProcessId ImageLoaded
Image Hashes
ImageLoaded Signed
Hashes Signature
Signed
Signatures
File Events
▪
▪

▪ File Creation Time

Changed
▪
UtcTime

▪ ProcessGuid
ProcessId
▪
Image

▪ TargetFileName
CreationUtcTime
PreviousCreationUtcTime
 Network Connection Detected

Network Events UtcTime

ProcessGuid
ProcessId
▪ Image
User
▪ Protocol
▪
Initiated
SourceIsIpv6
▪ SourceIp
SourceHostName
SourcePort
SourcePortName
DestinationIsIpv6
DestinationIp
DestinationHostName
DesinationPort
DesinationPortName
Thread Events
▪ CreateRemoteThread
Detected
UtcTime

▪ SourceProcessGuid
SourceProcessId
▪
SourceImage
▪ TargetProcessGuid
TargetProcessId
▪ TargetImage
▪
NewThreadId
▪
StartAddress
StartModule
StartFunction
Disk/Volume Read Events

▪ RawReadAccess Detected
UtcTime
ProcessGuid
ProcessId

▪ Image
Device

▪
Filter Examples
▪
▪
▪
▪

▪
▪
▪
▪
▪

▪
▪
▪
▪
▪
Splunk
▪

▪
(https://github.com/splunk/TA-microsoft-sysmon):
▪
▪
▪

<Image condition=“end with">splunk</Image>

<Image condition=“end with">msg_replay.exe</Image>
Splunk Example Queries
▪ http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
▪

▪
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 NOT User="NT AUTHORITY\\SYSTEM" |
stats values(User) as User,values(CommandLine) as CommandLine,values(ProcessId) as
ProcessId,values(ParentProcessId) as ParentProcessId values(ParentCommandLine) as ParentCommandLine by LogonGuid

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3 Protocol=tcp Initiated=true | eval

src=if(isnotnull(SourceHostname), SourceHostname+":"+SourcePort, SourceIp+":"+SourcePort) | eval
dest=if(isnotnull(DestinationHostname), DestinationHostname+":"+DestinationPort, DestinationIp+":"+DestinationPort) |
eval src_dest=src + " => " + dest | stats values(src_dest) as Connection by ProcessGuid ProcessId User Computer Image

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=3 Protocol=tcp Initiated=true | where

DestinationIp!="127.0.0.1" AND DestinationHostname!=SourceHostname | table _time User Computer ProcessId ProcessGuid
DestinationHostname DestinationPort | join type=inner [search sourcetype="xmlwineventlog:microsoft-windows-
sysmon/operational" EventCode=1 | table _time ProcessGuid ProcessId CommandLine]
Operations Management Suite
▪
▪

▪
▪
▪
▪
Auditing AD
▪ You must enable auditing in a domain-level GPO, with no
override, to ensure every system in your domain is tracking
important events.
▪ You should audit failed logons, successful and failed account
management, object access, and policy change.
▪ Use the same GPO to boost the security log size, because with
the increased auditing you’ll need it.
▪ You should try to rid yourself of LM (Lan Manager) password
hashes if possible.
Classic Data Protection API
Based on the following components:
Password, data blob, entropy

Is not prone to password resets!

Protects from outsiders when being in offline access
Effectively protects users data

Stores the password history

You need to be able to get access to some of your passwords
from the past

Conclusion: OS greatly helps us to protect secrets

Getting the: Classic DPAPI Secrets
DPAPI (classic)
A. MasterKey
1. pwdhash = MD4(password) or SHA1(password)
2. pwdhash_key = HMACSHA1(pwdhash, user_sid)
3. PBKDF2(…, pwdhash_key,…), another elements from the file. Windows 10 no domain: SHA512,
AES-256, 8000 rounds
4. Control – HMACSHA512

B. CREDHIST
1. pwdhash = MD4(password) or SHA1(password)
2. pwdhash_key = HMACSHA1(pwdhash, user_sid)
3. PBKDF2(…, pwdhash_key,…), another elements from the file. Windows 10 no domain: SHA512,
AES-256, 8000 rounds
4. Control – HMACSHA512

C. DPAPI blob Algorithms are written in the blob itself.

DPAPI + AD
CLIENT AD SERVER
RPC Call

Local LSASS process BackupKey(masterkey) LSASS process

(local masterkey can’t be
decrypted)
Decrypted masterkey
CryptUnprotectData()

G$BCKUPKEY_PREFERRED
DPAPI

G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855

Scenario: offline
changed user password
or local masterkey can’t
01 00 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0
be decrypted
4f c2 97 eb 01 00 00 00 ......

DPAPI-PROTECTED BLOB
Cached Logons: It used to be like this…

Before the attacks facilitated by pass-the-hash, we can

only rejoice the "salting" by the username.

There are a number pre-computed tables for users as

Administrator facilitating attacks on these hashes.
Cached Logons
Getting the: cached data
MSDCC2
1.bootkey: classes from HKLM\SYSTEM\CCS\Control\Lsa + [class
names for: Data, GBG, JD, Skew1] (+arrays’ permutations)
int[] permutationBootKey = new int[] { 0x8, 0x5, 0x4, 0x2,
0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7
};
2.PolEKList: HKLM\SECURITY\Policy\PolEKList [default value]
3.lsakey: AES_DECRYPT(key, data) -> AES(bootkey, PolEKList)
4.NL$KM secret: HKLM\SECURITY\Policy\Secrets\NL$KM
5.nlkm_decrypted: AES_DECRYPT(lsakey, NL$KM secret)
6.Cache_Entry{id} -> HKLM\SECURITY\Cache\NL${id}
7.cache_entry_decrypted -> AES_DECRYPT(nlkm_decrypted,
Cache_Entry{id})
 Legend

DK = PBKDF2(PRF, Password, Salt, c, dkLen)

Microsoft’s implementation: MSDCC2=

PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16)
Cached Logons: Iterations
The number of iterations in PBKDF2, it is
configurable through the registry:

HKEY_LOCAL_MACHINE\SECURITY\Cache
DWORD (32) NL$IterationCount

If the number is less than 10240, it is a multiplier

by 1024 (20 therefore gives 20480 iterations)

If the number is greater than 10240, it is the

number of iterations (rounded to 1024)
Classic DPAPI Flow: getting the
user’s secrets
Retrieving Golden Key from LSA – Mimikatz’ way

LSASRV.DLL

LSASS.EXE
MEMORY
LSASRV.DLL, LSASS.EXE, etc. G$BCKUPKEY_PREFERRED

G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855

PATTERNS (for different versions of modules) GoldenKey.pfx

Retrieving Golden Key from LSA – CQURE’s way

LSASRV.DLL

LSASS.EXE
MEMORY
G$BCKUPKEY_PREFERRED

G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855

??
??
?
? ?

AD secret? HOW?!

GoldenKey.pfx
CQLsassSecretsDumper
DPAPI-AD: How (the hell) did we do it?
DomainKey contains some GUID and Dude, look in
256-byte len secret – RSA?? the AD...
Demo:
What about KeePass?
DPAPI in pictures
Example: KeePass ProtectedUserKey.bin

The master password for KeePass

Legend
files encrypted &
stored as cipherText (80 bytes)
Demo:
What about RDP Connections?
Getting the: DPAPI-NG Secrets

DPAPI-NG
A. RootKey Algorithms Key derivation function:
SP800_108_CTR_HMAC (SHA512) Secret agreement: Diffie-Hellman
B. DPAPI blob Key derivation: KDF_SP80056A_CONCAT
After getting the key, there is a need for decryption: Key wrap
algorithm: RFC3394 (KEK -> CEK) Decryption: AES-256-GCM (CEK,
Blob)
DPAPI-NG: Data encryption flow
CLIENT AD SERVER
RPC Call
Local LSASS process GetKey(SID, L0, L1, L2 params) LSASS process
CNG DPAPI
NCryptUnprotectSecret()

RootKeyData?
Group key

RootKey
ACTIVE DIRECTORY

SID-PROTECTED BLOB
DPAPI-NG: Protected data encoded as ASN.1 blob
• KEK (Key Encryption
Looks familiar? It should! Key)
stored as DPAPI blob
It’s DPAPI blob!
• Forced by protection
descriptor
LOCAL=user
Protection descriptor: LOCAL=user
• Key Wrap (RFC3394)
contains encrypted CEK
(Content Encryption
Key)

• Data encrypted by CEK

DPAPI-NG: getting to SID-
Protected PFX files
 It is not
Eee? How do safe to
CACHED you know? store them!
SECRETS
 Legend

DK = PBKDF2(PRF, Password, Salt, c, dkLen)

Microsoft’s implementation: MSDCC2=

PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16)
Live and Postmortem Forensics
▪
▪
▪
▪

▪
▪
▪
▪
Advantages of Live Forensics
▪
▪
▪
▪
Risks of Live Forensics
▪

▪
▪
Imaging the Hard Drive
▪
▪

▪
When Live Forensics is the Best Option
▪
▪
▪
▪
▪
▪
Live Imaging
▪
▪

▪
▪
▪
Live incident response: Details
▪ Collection of both volatile and non-volatile data while the system is up
▪ Volatile data
▪ Data that would be lost on a reboot of the system
▪ E.g. running processes, volatile memory content, current TCP and UDP connections, etc
▪ E.g. systeminfo
▪ Non-volatile data
▪ Data stored in permanent storage devices, such as hard drives

▪ First rule of forensics

▪ Recover as much data as possible while the system is up and running
▪ If at all possible

▪ At times, depending on the damage being caused

▪ Have to disconnect machine from the network before recovering data E.g. attacking other machines

▪ Collected data must be shipped off the machine to another workstation

▪ Called forensics workstation
▪ Popular applications used to send data include netcat and cryptcat
▪ Netcat sends data over a TCP connection
▪ Cryptcat is the encrypted version of netcat

▪ Systeminfo
▪ Usually one of the first commands used by hackers
▪ Find out how powerful the machine is and how much storage is available
▪ Also specifies which patches have been applied to the system
Live incident response – contd.
▪ Collected data must be shipped off the machine to another
workstation
▪ Called forensics workstation
▪ Popular applications used to send data include netcat and cryptcat
▪ Netcat sends data over a TCP connection
▪ Cryptcat is the encrypted version of netcat

▪ Systeminfo
▪ Usually one of the first commands used by hackers
▪ Find out how powerful the machine is and how much storage is available
▪ Also specifies which patches have been applied to the system

▪ Restore files
▪ Obtaining files used in an attack
▪ E.g. binaries used and logs generated by hackers
Minimizing Impact
▪
▪
▪

▪
Incident Response
▪
▪
▪
▪

▪
Incident Response
▪
▪

▪
▪

▪
Malware Analysis
▪

▪
▪
Encrypted Systems
▪
▪

▪
▪
Nonsupported File Systems
▪

▪
▪
▪
Nonsupported File Systems
▪

▪
▪
▪
Memory Dumping
▪
▪
▪
▪
How to make a memory dump?

Memory Forensics grabs the data at the lowest level:

(most) malware cannot hide!
Memory Dumping from Linux
▪
▪
▪

▪
▪
▪

▪
▪
Memory Analysis Tools
▪
▪
▪

▪
▪

▪
▪
▪
Live Disk Imaging Tools
▪
▪
▪
▪

▪
▪
Live Disk Imaging Tools
▪
▪
▪
▪
▪

▪
▪
▪
Advantages of Postmortem Forensics
▪
▪
▪
▪
▪
Risks of Postmortem Forensics
▪
▪
▪

▪
▪
Core Dumps
▪
▪
▪
▪
▪
Hibernation Files
▪
▪
▪
▪
What to search for?

Processes UserAssist
Threads Shellbags
Modules ShimCache
Handles Event Logs
Registry Registry (again)
Apihooks Timeline
Services
Handles: More Than Files
YARA and Other Tools

Memoryze: Live analysis

Typical Traces

Logs

Windows Explorer
Searching for a Trace: Disk

Disk
Techniques for Hiding vs. Recovering Data
Searching for a Trace: Memory
Memory
Handles
Processes
Hidden Processes (ActiveProcessLinks)
Files that can be extracted
Threads
Modules
Registry
API Hooks
Services
UserAssist
Shellbags
ShimCache
Event Logs
Timeline
 Log analysis
▪

▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
Windows logs
▪ Referred to as “Event Logs”

▪ Event viewer application

▪ Native user interface to view logs

▪ Other tools are also available

▪ May provide improved features to dig into event log files
Event viewer
▪ Control panel → Event Viewer
▪ Navigation pane
▪ Left pane
▪ Means to look at different logs that exist on this system
▪ Administrator can create custom views
▪ Focus on specific targets

▪ Home screen
▪ Center
Event viewer home screen
▪ Summary of Administrative Events Pane
▪ This pane contains a breakdown on the number of
events per event type. If the administrator expands
the event type by clicking on the “+” button next to
the type, the number of events under that particular
event type is further broken down by Event ID. Event
IDs are classes of events under a specific type.
Event viewer home screen
▪ Summary of Administrative Events Pane
▪ Contains a breakdown of the number of events per event type
▪ Node for each type can be expanded
▪ Shows number of events under that particular event type
▪ Further broken down by Event ID
▪ Event IDs are classes of events under a specific type
Event viewer home screen – contd.
▪ Recently viewed nodes pane
▪ Latest event log files viewed
▪ Contains
▪ Description of the view (when available)
▪ Date the log file (node) was last modified
▪ When the file was originally created
▪ Blank date lines indicate that the file was never created
▪ Or log entries have never been appended to the file
Event viewer home screen – contd.
▪ Log summary
▪ Describes attributes of each log file currently kept by Windows
▪ Size/Maximum Column
▪ How much space is left for growth in the log file
▪ Files nearing maximum indicate that records are rotating
▪ Therefore likely being lost
▪ Need to consider log life
Types of event log files
▪ Default since Windows XP
▪ Application log
▪ Logging information from 3rd party applications, and
▪ MS applications not part of OS core distribution
▪ E.g. video game log information, MS Office logs
▪ Security file
▪ Default - login and logout attempts
▪ Can be configured to log data file activity
▪ File creation, opening or closing
▪ System event log file
▪ Holds operating system log messages
▪ E.g. network connection problems and video card driver errors
Types of event log files – contd.
▪ Windows 8 / 10
▪ Adds 2 more log files

▪ Setup node
▪ Stores logging information regarding installation of software applications

▪ Forwarded Events log

▪ Discussed shortly
Windows forensics example
▪ Screenshot from a compromised machine (next slide)
▪ Computer had McAfee Antivirus running on it
▪ “Event ID 5000”

▪ Exported log
▪ Therefore more event details not available
▪ However included information points to “VirusScan Enterprise” as culprit
▪ System administrator in organization would know
▪ AV engine version at the time of this incident was 5.4.1
▪ Compared with the 5.3.0 shown in the log
▪ Hence virus scanner was not up to date on this particular machine

▪ Internet search on “Event ID 5000” in connection with McAfee

▪ Error possible if On Access protection did not start up successfully
▪ Piece that keeps the machine from getting infected in real-time

▪ Follow up
▪ Was antivirus software application running on this machine at all?
Event criticality
▪ Log messages tagged with labels indicating their level
of urgency
▪ Custom View folder
▪ “Administrative Events” Custom View
▪ Installed by default
▪ Provides view of all the “Critical,” “Error” and “Warning” events from all
administrative logs
Event criticality – contd.
▪ Criticality levels defined by Windows
▪ Information
▪ Describes successful operation of a task
▪ E.g. application, driver, or service
▪ e,g. .when a network driver loads successfully
▪ Warning
▪ Not necessarily a significant event
▪ However, may indicate the possible occurrence of a future problem
▪ E.g, when disk space starts to run low
▪ Error
▪ Describes a significant problem
▪ E.g. failure of a critical task
▪ E.g. a service fails to load during startup
Event criticality – contd.
▪ Criticality levels defined by Windows – contd.
▪ Success Audit (Security log)
▪ Event that describes successful completion of an audited security event
▪ E.g. a user logs on to the computer

▪ Failure Audit (Security log)

▪ Event that describes an audited security event that did not complete successfully
▪ E.g. when a user cannot access a network drive
UNIX logs
▪ Syslog
▪ Service
▪ File

▪ Standard log files

▪ Messages or syslog
▪ Authentication log
▪ Wtmp
▪ Utmp
▪ Web server logs
▪ Netflow logs
▪ Other logs
Syslog
▪ Syslog service
▪ Process designed to handle messages for programs that are “syslog-aware”
▪ Any programmer can use syslog facility
▪ Store log information on a location specified in the syslog.conf configuration file

▪ To use syslog service

▪ Specify selectors
▪ Two parts
▪ Facility
▪ Priority
Syslog facility
▪ Specifies service that produced the error message
▪ Defined services
▪ E.g. auth, authpriv, cron, daemon, kern, lpr, and mail
▪ For instance email subsystem log messages would be logged using the mail facility

▪ Locally developed code

▪ local0 through local7
Syslog priority
▪ One of the following
▪ debug, info, notice, warning, warn (same as warning), err, error (same as err), crit,
alert, emerg, panic (same as emerg)

▪ Classifies message by criticality

▪ Priorities are additive

▪ Messages with specified priority and all higher priorities will be logged
▪ E.g. the selector mail.warn will match messages with the priority warn, err, crit and emerg
Syslog configuration
▪ Specified in a configuration file
▪ Composed by combining a selector coupled with an action

▪ Action
▪ Specifies what needs to be done when a matching message is generated
▪ Could be
▪ A filename, such as /var/adm/messages
▪ A forward to the syslog service on another host
▪ E.g. @hostname
▪ Write the log information to the user’s screen
▪ Specifying the username
▪ * for all users
Syslog configuration example
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg *
Line 1
▪ All messages classified as info or higher priority, regardless of facility (*.info) will be written to /var/log/messages
▪ Exceptions to this rule are messages from mail, authpriv and cron facilities
▪ None priority

Lines 2-4
▪ All messages from specified facilities are written to their respective log files

Line 5
▪ All messages with the priority of emerg
▪ Typically only used if a system shutdown is eminent
▪ Written to the screen of all users currently logged into the server (*)
Syslog configuration example
▪ Syslog configuration allows administrator to specify
location of logs
▪ May choose locations different from the conventional location
▪ /var/log

▪ In an investigation
▪ /var/log directory and its contents are empty
▪ Does not mean someone removed them
▪ Or that system does not log activity
▪ Administrator may have put logs in a different location
Standard log files
▪ Messages or syslog
▪ /var/log/messages or /var/log/syslog
▪ Default location of syslog service messages
▪ Messages are designed for parsing by standard UNIX utilities

▪ Authentication log
▪ /var/log/secure or /var/log/auth.log
▪ Records connection attempts and results of such attempts
▪ Can indicate brute force connection attempts
wtmp
▪ /var/log/wtmp
▪ Historical login and logout information
▪ Binary file

▪ Used by other commands

▪ who
▪ Last logged in users
▪ last
▪ Recent reboots
▪ last -a
Utmp
▪ Currently logged in users
▪ Binary file

▪ Located in
▪ /var/run, or
▪ /var/adm

▪ w command
▪ From column output is very useful
▪ If an unknown host is seen
▪ Enter incident response mode
Web server logs
▪ Web servers are probably xxx.2xx.89.16 - - [09/May/2016:11:41:37 -0400] "GET /login HTTP/1.1" 404 338
xxx.2xx.89.16 - - [09/May/2016:11:41:37 -0400] "GET /sws/data/sws_data.js HTTP/1.1" 404 353

the most common attack

xxx.2xx.89.16 - - [09/May/2016:11:41:37 -0400] "GET /wcd/system.xml HTTP/1.1" 404 347
xxx.2xx.89.16 - - [09/May/2016:11:41:37 -0400] "GET /js/Device.js HTTP/1.1" 404 345
xxx.2xx.89.16 - - [09/May/2016:11:41:37 -0400] "GET /ptz.htm HTTP/1.1" 404 340

path recently
xxx.2xx.97.183 - - [09/May/2016:11:41:37 -0400] "GET / HTTP/1.1" 200 14257
xxx.2xx.97.183 - - [09/May/2016:11:41:37 -0400] "GET /authenticate/login HTTP/1.1" 404 352
xxx.2xx.97.183 - - [09/May/2016:11:41:37 -0400] "GET /tmui/ HTTP/1.1" 404 339

▪ Accessible to attackers
xxx.2xx.97.183 - - [09/May/2016:11:41:37 -0400] "GET /admin/login.do HTTP/1.1" 404 348
xxx.2xx.97.183 - - [09/May/2016:11:41:37 -0400] "GET /dms2/Login.jsp HTTP/1.1" 404 348
xxx.2xx.97.183 - - [09/May/2016:11:41:37 -0400] "GET /login HTTP/1.1" 404 339

▪ Access and error logs can

xxx.2xx.97.183 - - [09/May/2016:11:41:38 -0400] "GET /sws/data/sws_data.js HTTP/1.1" 404 354
xxx.2xx.97.183 - - [09/May/2016:11:41:38 -0400] "GET /wcd/system.xml HTTP/1.1" 404 348
xxx.2xx.97.183 - - [09/May/2016:11:41:38 -0400] "GET /js/Device.js HTTP/1.1" 404 346

be useful sources of data

xxx.2xx.97.183 - - [09/May/2016:11:41:38 -0400] "GET /ptz.htm HTTP/1.1" 404 341
xxx.2xx.89.16 - - [09/May/2016:11:41:38 -0400] "GET /robots.txt HTTP/1.1" 404 343
xxx.2xx.89.16 - - [09/May/2016:11:41:38 -0400] "GET /CVS/Entries HTTP/1.1" 404 344
xxx.2xx.89.16 - - [09/May/2016:11:41:38 -0400] "GET /NonExistant1380414953/ HTTP/1.1" 404 355
Netflow logs
▪ Used by equipment vendors to collect IP traffic information
▪ Developed by CISCO

▪ Can infer existence of web server at 222.243 in example

▪ Watch for
▪ Unusual ports
▪ Excessive traffic volumes
▪ May indicate illegal downloads

Date Time Source Port Destination Port Packets

2016-10-01 00:11:19.285 66.2xx.71.155 34340 1xx.2xx.222.243 443 TCP 1 60
2016-10-01 00:11:46.659 61.1xx.172.2 35590 1xx.2xx.222.243 80 TCP 1 48
2016-10-01 00:18:58.992 71.xx.61.163 55194 1xx.2xx.222.243 80 TCP 3 152
2016-10-01 00:18:59.594 66.2xx.71.155 36614 1xx.2xx.222.243 443 TCP 3 180
General log configuration and maintenance
▪ Default settings may not be most appropriate for
your organization
▪ Different audiences have different needs
▪ Security analyst cares for login and logout information

▪ First task
▪ Determine the audience
▪ Who will be interested in seeing the logs?
▪ Is there a compliance issue that requires the logs to be set up and record a specific activity? E.g.
▪ Legal requirement to record any and all access to Social Security Numbers stored in database?
▪ Legal requirement to maintain log information for a certain number of days?
General log configuration and maintenance
▪ Example
▪ Security event log
▪ Records all successful logins
▪ Log will fill up quickly
▪ And rotate
▪ Options
▪ Increase log file size
▪ Do not log successful logins
▪ Miss attacker history
▪ Rotate and archive old files
Log consolidation
▪ Exporting logs from the original machine to a central box
dedicated to log collection Server A
Access

▪ Best option for security and compliance

Logs

▪ Allows easier correlation of logs between different computers

▪ Analyst does not have to go around gathering things Computer
B Access

▪ Easy to see all connection attempts from one particular IP Logs

▪ Experienced attackers clear and disable all logs Consolidated

Logs
▪ Clear tracks
▪ Exporting logs in real time to another machine retains pristine copy Network
Router
▪ Even if local logs are corrupted Logs

▪ Prevents accidental deletion

▪ Can develop access policies for log machines
Database
Logs
Server A
Fooling auditors

Log manipulations
Erasing logs
Playing with data

Dual booting
Absent data

Modification of the files

File metadata
NTFS journal
Deleting files

Dirty Games
Keeping data secret

▪ Extension change
▪ Joining files
▪ Alternative data streams
▪ Embedding
▪ Playing with the content
▪ Steganography

▪ Hiding data
▪ Encryption
MAC times
▪ Modification, Access and Creation times
▪ Associated with data files
▪ Modification Time
▪ Indicates the time the file was last modified
▪ Access Time
▪ Points to the time the file was last accessed or read
▪ Not very trustworthy
▪ Affected by virus scanners, disk defrag applications etc
▪ Hence often disabled by system administrators to improve file system performance
▪ Creation Time
▪ Time when the file was created
MAC times – contd.
▪ Assume netflow logs reveal a suspicious SSH
connection to a server
▪ Netflow log gives timestamp associated with the connection
▪ Also reveals lot of data was dropped on the system
▪ Need to identify “what” was dropped
▪ How to search?
▪ Build server file timeline
▪ Determine files created around the time found on the netflow logs
▪ File → right click → Properties
▪ Or Windows Explorer for a whole directory

▪ To examine an entire drive

▪ Forensic utilities are useful
▪ E.g. mac_robber
Timelines
▪ Used to visualize all information about an incident
▪ Big part of forensics work
▪ Developing timelines on multiple machines
▪ Correlating them with each other and with network logs

▪ Example shows simple timeline

▪ 1 of 5 different servers involved in an incident in 2006
▪ Resulting report 15 pages long
▪ Questionable activities on Kenya server corroborated on other servers
▪ Scans initiated on Kenya detected on Server A and vice versa.
▪ Entire timeline built from log files found on the five servers
Sysmon
Entry Information
Allows to build an attack timeline
Allows to define an entry point and anomalies
Collects and records system events to the Windows event log
It is free and easy to set up

Good practices
Filter out uninteresting events (image loads etc.)
Make sure event log is big enough
Centralize the events in a separate server

You can download Sysmon from Sysinternals.com

Other forensics topics
▪ IT Forensics is an extremely broad topic
▪ Proficiency only comes with experience
▪ Training is a constant
▪ Computerized devices with network ability expand constantly
▪ E.g. Smartphones to smart thermostats

▪ New developments worth mentioning

▪ Cloud storage such as Dropbox
▪ Files stored on Dropbox almost immediately shared with multiple computers
▪ Files “deleted” on a computer Dropbox folder not deleted on the Dropbox web portal
▪ Easily restored
▪ Question
▪ How much access does an investigator have to Dropbox logs? Would it require a subpoena?
Summary
▪ Sources of information within popular operating
systems
▪ Extracting information from specific systems
▪ Creating timelines indicating the pattern of an event
▪ Examples of evidence of attack on multiple
applications
 Thank You!

If you have questions email us at

info@cqureacademy.com

You can also chat us up on the page

https://cqureacademy.com/
CQURE Academy
MASTERCLASS: SYSTEM FORENSICS AND INCIDENT
HANDLING
Paula Januszkiewicz
CQURE: CEO, Penetration Tester; Cybersecurity Expert
CQURE Academy: Trainer
MVP: Enterprise Security, MCT
Microsoft Regional Director
www.cqureacademy.com
paula@cqure.us

@paulacqure
@CQUREAcademy
CONSULTING