Reconstructing Events through Analysis
Develop footprints to identify tools, techniques and actors
Using Volatility and external tools
Theories + Information = ????
WinTimeStamp
UnixTimeStamp
DosDate
System Tie
Process start and end times
Thread start and end times
Symlink creation
Registry key
Disk Artifacts
MRU Lists
PE compilation time
Socket creation
Event logs
Timeliner
timeliner
--output-file=timeliner.txt --output=body
Mftparser
mftparser
--output-file=mft.txt --output=body
Shellbags
shellbags
--output-file=shellbags.txt --output=body
Creates a timeline from various artifacts in memory
Extracts a large number of artifacts and output options
Timestamps are in UTC by default! --tz for timezone
Output
--type=EvtLog,IEHistory,ImageDate,LoadTime,Process,Shimcache,Socket,Symlink,Thread,TimeDateStamp,Userassist,_CMHIVE,_CM_KEY_BODY,_HBASE_BLOCK
[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 timeliner
2010-06-25 12:42:00 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\ln.exe| End: 2010-10-08 03:59:17 UTC+0000
2010-08-31 08:01:28 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\mkgroup.exe| End: 2010-10-08 03:58:54 UTC+0000
2010-08-31 08:01:28 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\mkpasswd.exe| End: 2010-10-08 03:58:54 UTC+0000
2010-06-25 12:41:49 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\cp.exe| End: 2010-10-08 03:59:17 UTC+0000
2010-06-25 12:42:09 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\rm.exe| End: 2010-10-08 03:59:05 UTC+0000
1970-01-01 00:00:00 UTC+0000|[SHIMCACHE]| C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll| End: 2010-08-27 14:49:18 UTC+0000
2010-06-25 12:41:47 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\chgrp.exe| End: 2010-10-08 03:58:54 UTC+0000
2009-03-30 16:23:54 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\install-info.exe| End: 2010-10-08 03:59:05 UTC+0000
2010-06-25 12:41:52 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\dirname.exe| End: 2010-10-08 03:59:16 UTC+0000
2010-08-13 16:58:31 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\sh.exe| End: 2010-10-08 03:59:05 UTC+0000
2010-06-25 12:42:18 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\test.exe| End: 2010-10-08 03:59:15 UTC+0000
2007-07-23 21:14:24 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\gzip.exe| End: 2010-10-08 03:59:05 UTC+0000
2010-06-25 12:41:53 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\echo.exe| End: 2010-10-08 03:59:17 UTC+0000
2010-06-25 12:42:19 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\touch.exe| End: 2010-10-08 03:59:17 UTC+0000
[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 timeliner --type=EvtLog
Volatility Foundation Volatility Framework 2.4
2010-08-22 17:34:29 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/RSVP;QoS RSVP
2010-08-22 17:34:42 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/PSched;PSched
2010-08-22 17:34:44 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/RemoteAccess;Routing and Remote Access
2010-08-22 17:34:56 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/TermService;Terminal Services
2010-08-22 17:34:57 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/MSDTC;MSDTC
2010-08-22 17:34:57 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/MSDTC/4104/Info/N/A
[snip]
-b <body file>
-d <each line command delimited
-z <timezone>
[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 timeliner --type=EvtLog --output=body --output-file=stuxnetEvents.body
[root&windows]#mactime -b stuxnetEvents.body -d -z UTC
Date,Size,Type,Mode,UID,GID,Meta,File Name
Sun Aug 22 2010 13:32:25,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/EventLog/6005/Info/N/A"
Sun Aug 22 2010 13:32:25,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/EventLog/6009/Info/5.01.;2600;Service Pack 3;Uniprocessor Free"
Sun Aug 22 2010 13:32:54,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/Serial/2/Info/\Device\Serial0;\Device\Serial0"
Sun Aug 22 2010 13:32:54,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/Serial/2/Info/\Device\Serial1;\Device\Serial1"
[snip]
Shows human readable timestamp and event
Also shows what timestamp is presented
Several can be used for timelining
NTFS $STANDARD_INFORMATION
Prefetch files
Trashed Files
MFT
[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 mftparser -D . --output=body --output-file=stuxnetMFT
Volatility Foundation Volatility Framework 2.4
Scanning for MFT entries and building directory, this can take a while
[root&windows]#mactime stuxnetMFT | tail
Thu Jun 02 2011 21:28:33 0 mac. -h-a----------- 0 0 10544 [MFT STD_INFO] DOCUME~1\Administrator\NTUSER~1.LOG (Offset: 0x3f7b000)
Thu Jun 02 2011 21:29:13 0 .a.. --------------- 0 0 82621 [MFT STD_INFO] Python26\Lib\lib2to3 (Offset: 0x15b45400)
0 .a.. --------------- 0 0 82632 [MFT STD_INFO] Python26\Lib\lib2to3\tests (Offset: 0x1eb87000)
0 .a.. --------------- 0 0 82643 [MFT STD_INFO] Python26\Lib\lib2to3\tests\data (Offset: 0x1ea89c00)
0 .a.. --------------- 0 0 82650 [MFT STD_INFO] Python26\Lib\lib2to3\tests\data\fixers (Offset: 0x11e4b800)
Thu Jun 02 2011 21:30:14 0 .a.. r-------------- 0 0 6279 [MFT STD_INFO] DOCUME~1\ALLUSE~1\DOCUME~1\MYPICT~1\SAMPLE~1 (Offset: 0x236bc00)
Thu Jun 02 2011 21:31:35 0 .a.. r--a----------- 0 0 10932 [MFT STD_INFO] PROGRA~1\VMware\VMWARE~1\SUSPEN~1.BAT (Offset: 0x3fd6000)
389120 .ac. ---a----------- 0 0 2121 [MFT STD_INFO] WINDOWS\system32\cmd.exe (Offset: 0x3f44400)
0 .a.. ---a----------- 0 0 94638 [MFT STD_INFO] Documents and Settings\Administrator\Desktop\IDAPRO~1.LNK (Offset: 0x3fe9800)
Thu Jun 02 2011 21:31:36 0 m.c. -h-a----------- 0 0 3646 [MFT STD_INFO] WINDOWS\system32\config\software.LOG (Offset: 0x40c1800)
Prefetch: execution results
Shimcache registry keys
Network Activity
Job files
Registry Keys
Disk Artifacts
Shellbags
Walk-through from the text.
Starts @ Page 543
Forensics challenge hosted by Jack Crook for 2012 DFIR Challenge
An organization is the victim of a targeted attack and attackers moved between machines.
An IDS alert flagged traffic from ENG-USTXHOU-148 to an IP 58.64.132.141
Machines:
Combine timeliner from multiple machines!
--machine adds a name to the timeline header
[root&jackcr-challenge]#volatility -f IIS-SARIYADH-03/memdump.bin --profile=Win2003SP0x86 mftparser --output=body -D IIS_FILES/ --machine=IIS --output-file=challenge/IIS_mft.body
[root&jackcr-challenge]#volatility -f IIS-SARIYADH-03/memdump.bin --profile=Win2003SP0x86 timeliner --output=body --machine=IIS --output-file=challenge/IIS_timeliner.body
[root&jackcr-challenge]#volatility -f IIS-SARIYADH-03/memdump.bin --profile=Win2003SP0x86 shellbags --output=body --machine=IIS --output-file=challenge/IIS_shellbags.body
Do the same for all three machines. . .
Extract data from
Can be run against a disk images or files that have been dumped from the image
log2timeline can create a timeline from data in a pcap
[root&jackcr-challenge]#log2timeline -f pcap -z UTC jackcr-challenge.pcap -w IIS_pcap.body
[root&challenge]#cat IIS_* >> IIS_logs.body
ENG-USTXHOU-148 was in IDS alert from IP 58.64.132.141
PID 1024 has two connections to 58.64.132.141
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin imageinfo
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.4
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x01f60850 0.0.0.0:0 1.0.0.0:0 36569092
0x01ffa850 172.16.150.20:1291 58.64.132.141:80 1024
0x0201f850 172.16.150.20:1292 172.16.150.10:445 4
0x02084e68 172.16.150.20:1281 172.16.150.10:389 628
0x020f8988 172.16.150.20:2862 172.16.150.10:135 696
0x02201008 172.16.150.20:1280 172.16.150.10:389 628
0x18615850 172.16.150.20:1292 172.16.150.10:445 4
0x189e8850 172.16.150.20:1291 58.64.132.141:80 1024
0x18a97008 172.16.150.20:1280 172.16.150.10:389 628
0x18b8e850 0.0.0.0:0 1.0.0.0:0 36569092
0x18dce988 172.16.150.20:2862 172.16.150.10:135 696
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 pslist -p 1024
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x820b3da0 svchost.exe 1024 680 76 1645 0 0 2012-11-26 22:03:32 UTC+0000
Using the ENG_logs.body file we generated let's look at prefetch files
[root&challenge]#grep -i pf ENG_logs.body | grep -i exe | cut -d\| -f2
[ENG MFT FILE_NAME] WINDOWS\Prefetch\NETEXE~1.PF (Offset: 0x12d588)
[ENG MFT STD_INFO] WINDOWS\Prefetch\NETEXE~1.PF (Offset: 0x12d588)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\NET.EXE-01A53C2F.pf (Offset: 0x12d588)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\SLEXE-~1.PF (Offset: 0x311400)
[ENG MFT STD_INFO] WINDOWS\Prefetch\SLEXE-~1.PF (Offset: 0x311400)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\SL.EXE-010E2A23.pf (Offset: 0x311400)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\GSEXE-~1.PF (Offset: 0x311800)
[ENG MFT STD_INFO] WINDOWS\Prefetch\GSEXE-~1.PF (Offset: 0x311800)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\GS.EXE-3796DDD9.pf (Offset: 0x311800)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\PING.EXE-31216D26.pf (Offset: 0x311c00)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\MDDEXE~1.PF (Offset: 0x230ed10)
[ENG MFT STD_INFO] WINDOWS\Prefetch\MDDEXE~1.PF (Offset: 0x230ed10)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\MDD.EXE-07B34726.pf (Offset: 0x230ed10)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf (Offset: 0x3234c00)
[snip]
[ENG MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-3793B625.pf (Offset: 0x17779800)
Some look suspicious.... SL.EXE, GS.EXE, PS.EXE and SYMANTEC-1.43-1[2].EXE.
There is also AT.exe (scheduling) and PING and NET....
Note: grep thought I had a binary file...
[root&challenge]#mactime -b ENG_logs.body -d -z UTC > ENG_logsOrdered.body
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i symantec
26 2012 23:01:53,macb,[ENG IEHISTORY] explorer.exe->Visited: callb@http://58.64.132.8/download/Symantec-1.43-1.exe PID: 284/Cache type "URL " at 0x2895000
Mon Nov 26 2012 23:01:54,0,macb,---a-------I---,0,0,11722,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-3793B625.pf (Offset
Download of Symantec-1.43-1.exe at 23:01:53 and execution of it at 23:01:54....
[root&challenge]#whois 58.64.132.8
[snip]
address: Hong Kong
[snip]
Running strings on the memdump shows an e-mail with the link to the Symantec executable
[root&jackcr-challenge]#strings -td -a ENG-USTXHOU-148/memdump.bin > ENG_strings.txt
[root&jackcr-challenge]#cat ENG_strings.txt | grep -i received:
34435239 Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
[root&jackcr-challenge]#cat ENG_strings.txt | grep 34435239 -B 1 -A 100
34435204 Mon, 26 Nov 2012 14:00:08 -0600
34435239 Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
34435306 by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
34435388 Mon, 26 Nov 2012 15:00:07 -0500
34435422 Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
34435477 From: "Security Department" <[email protected]>
34435531 To: <[email protected]>, <[email protected]>,
34435588 <[email protected]>
34435624 Subject: Immediate Action
34435651 Date: Mon, 26 Nov 2012 14:59:38 -0500
34435690 MIME-Version: 1.0
34435709 Content-Type: multipart/alternative;
34435747 boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
34435802 X-Priority: 3
34435817 X-MSMail-Priority: Normal
34435844 X-Mailer: Microsoft Outlook Express 6.00.2900.5512
34435896 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
34435954 Return-Path: [email protected]
34435991 X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
34436078 This is a multi-part message in MIME format.
34436126 ------=_NextPart_000_0015_01CDCBE6.A7B92DE0
34436171 Content-Type: text/plain;
34436198 charset="iso-8859-1"
34436221 Content-Transfer-Encoding: quoted-printable
34436268 Attn: Immediate Action is Required!!
34436308 The IS department is requiring that all associates update to the new =
34436380 version of anti-virus. This is critical and must be done ASAP! Failure =
34436456 to update anti-virus may result in negative actions.
34436512 Please download the new anti-virus and follow the instructions. Failure =
34436588 to install this anti-virus may result in loosing your job!
34436650 Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
34436720 Regards,
34436730 The IS Department
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus. This is critical and must be done ASAP! Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions. Failure =
to install this anti-virus may result in loosing your job!
Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
Regards,
The IS Department
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i 23:01:54
Mon Nov 26 2012 23:01:54,0,macb,---a-------I---,0,0,11722,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-3793B625.pf (Offset: 0x17779800)"
Mon Nov 26 2012 23:01:54,100895,.ac.,---a-----------,0,0,8610,"[ENG MFT FILE_NAME] WINDOWS\system32\6to4ex.dll (Offset: 0x324c800)"
Mon Nov 26 2012 23:01:54,100895,.ac.,-h-------------,0,0,8610,"[ENG MFT STD_INFO] WINDOWS\system32\6to4ex.dll (Offset: 0x324c800)"
6to4ex.dll seems odd...
Extract registry hives with dumpfiles and use timeline.py from python-registry
#!/bin/bash
volatility=/opt/volatility-2.4/volatility-2.4/vol.py
timeline=/opt/python-registry/sample/timeline.py
file=jackcr-challenge/ENG-USTXHOU-148/memdump.bin
loc=challenge/REG/ENG-USTXHOU-148/
short='echo ENG-USTXHOU-148 |cut -d\- -f1'
mkdir -p $loc
for i in config.system config.security config.sam \
config.default config.software ntuser.dat usrclass.dat
do
$volatility -f $file --profile WinXPSP2x86 dumpfiles -i -r $i\$ -D $loc
done
find $loc -type f -exec python $timeline \
--body '{}' >> $loc \;
cat $loc.temp |sed "s/\[Registry None/\[$short Registry/" \
>> $loc.registry.body
rm $loc.temp
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i 23:01:54
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Enum\Root\LEGACY_6TO4
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Enum\Root\LEGACY_6TO4\0000
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Services\6to4\Parameters
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Services\6to4\Security
DLL runs inside svchost.exe
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 printkey -K "ControlSet001\Services\6to4"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: 6to4 (S)
Last updated: 2012-11-26 23:01:55 UTC+0000
Subkeys:
(S) Parameters
(S) Security
(V) Enum
Values:
REG_DWORD Type : (S) 288
REG_DWORD Start : (S) 2
REG_DWORD ErrorControl : (S) 1
REG_EXPAND_SZ ImagePath : (S) %SystemRoot%\System32\svchost.exe -k netsvcs
REG_SZ DisplayName : (S) Microsoft Device Manager
REG_SZ ObjectName : (S) LocalSystem
REG_SZ Description : (S) Service Description
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 printkey -K "ControlSet001\Services\6to4\Parameters"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: Parameters (S)
Last updated: 2012-11-26 23:01:54 UTC+0000
Subkeys:
Values:
REG_EXPAND_SZ ServiceDll : (S) C:\WINDOWS\system32\6to4ex.dll
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep 23:01:54
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 276
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 508
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 528
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 536
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 652
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 936
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 dlllist -p 1024
Volatility Foundation Volatility Framework 2.4
************************************************************************
svchost.exe pid: 1024
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Pack 3
Base Size LoadCount Path
---------- ---------- ---------- ----
0x01000000 0x6000 0xffff C:\WINDOWS\System32\svchost.exe
0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
[snip]
0x10000000 0x1c000 0x1 c:\windows\system32\6to4ex.dll
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 svcscan
Offset: 0x389d60
Order: 228
Start: SERVICE_AUTO_START
Process ID: 1024
Service Name: 6to4
Display Name: Microsoft Device Manager
Service Type: SERVICE_WIN32_SHARE_PROCESS
Service State: SERVICE_RUNNING
Binary Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
ipconfig.exe was used...
Mon Nov 26 2012 23:03:21,55808,.a..,---a-----------,0,0,24145,"[ENG MFT STD_INFO] WINDOWS\system32\ipconfig.exe (Offset: 0xc826400)"
WINDOWS/webui appears
Mon Nov 26 2012 23:03:10,macb,[ENG MFT FILE_NAME] WINDOWS\webui (Offset: 0x1bc21000)
net.exe was used
Mon Nov 26 2012 23:07:53,macb,[ENG MFT FILE_NAME] WINDOWS\Prefetch \NET.EXE-01A53C2F.pf (Offset: 0x12d588)
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i webui
Mon Nov 26 2012 23:03:10,0,macb,-------------D-,0,0,7556,"[ENG MFT FILE_NAME] WINDOWS\webui (Offset: 0x1bc21000)"
Mon Nov 26 2012 23:03:10,0,...b,---------------,0,0,7556,"[ENG MFT STD_INFO] WINDOWS\webui (Offset: 0x1bc21000)"
Mon Nov 26 2012 23:06:47,0,macb,---a-----------,0,0,11719,"[ENG MFT FILE_NAME] WINDOWS\webui\gs.exe (Offset: 0x16267c00)"
Mon Nov 26 2012 23:06:47,0,...b,---a-----------,0,0,11719,"[ENG MFT STD_INFO] WINDOWS\webui\gs.exe (Offset: 0x16267c00)"
Mon Nov 26 2012 23:06:48,0,mac.,---a-----------,0,0,11719,"[ENG MFT STD_INFO] WINDOWS\webui\gs.exe (Offset: 0x16267c00)"
Mon Nov 26 2012 23:06:52,0,macb,---a-----------,0,0,11723,"[ENG MFT FILE_NAME] WINDOWS\webui\ra.exe (Offset: 0x17779c00)"
Mon Nov 26 2012 23:06:52,0,macb,---a-----------,0,0,11723,"[ENG MFT STD_INFO] WINDOWS\webui\ra.exe (Offset: 0x17779c00)"
Mon Nov 26 2012 23:06:56,0,macb,---a-----------,0,0,11724,"[ENG MFT FILE_NAME] WINDOWS\webui\sl.exe (Offset: 0x1f5ff000)"
Mon Nov 26 2012 23:06:56,0,macb,---a-----------,0,0,11724,"[ENG MFT STD_INFO] WINDOWS\webui\sl.exe (Offset: 0x1f5ff000)"
Mon Nov 26 2012 23:06:59,0,macb,---a-----------,0,0,11725,"[ENG MFT FILE_NAME] WINDOWS\webui\wc.exe (Offset: 0x1f5ff400)"
Mon Nov 26 2012 23:06:59,0,m.cb,---a-----------,0,0,11725,"[ENG MFT STD_INFO] WINDOWS\webui\wc.exe (Offset: 0x1f5ff400)"
Mon Nov 26 2012 23:07:31,0,macb,---a-----------,0,0,11726,"[ENG MFT FILE_NAME] WINDOWS\webui\netuse.dll (Offset: 0xde4e48)"
Mon Nov 26 2012 23:07:31,0,macb,---a-----------,0,0,11726,"[ENG MFT STD_INFO] WINDOWS\webui\netuse.dll (Offset: 0xde4e48)"
Tue Nov 27 2012 00:44:16,0,m...,---a-----------,0,0,11734,"[ENG MFT STD_INFO] WINDOWS\webui\system.dll (Offset: 0x924e800)"
Tue Nov 27 2012 00:49:01,0,macb,---a-----------,0,0,11734,"[ENG MFT FILE_NAME] WINDOWS\webui\system.dll (Offset: 0x924e800)"
Tue Nov 27 2012 00:49:01,0,.acb,---a-----------,0,0,11734,"[ENG MFT STD_INFO] WINDOWS\webui\system.dll (Offset: 0x924e800)"
Tue Nov 27 2012 00:56:43,0,m...,---a-----------,0,0,11735,"[ENG MFT STD_INFO] WINDOWS\webui\svchost.dll (Offset: 0x924ec00)"
Tue Nov 27 2012 00:57:20,0,macb,---a-----------,0,0,11735,"[ENG MFT FILE_NAME] WINDOWS\webui\svchost.dll (Offset: 0x924ec00)"
Tue Nov 27 2012 00:57:20,0,.acb,---a-----------,0,0,11735,"[ENG MFT STD_INFO] WINDOWS\webui\svchost.dll (Offset: 0x924ec00)"
Tue Nov 27 2012 01:01:39,0,macb,---a-----------,0,0,11736,"[ENG MFT FILE_NAME] WINDOWS\webui\https.dll (Offset: 0x109cf7a8)"
Tue Nov 27 2012 01:01:39,0,macb,---a-----------,0,0,11736,"[ENG MFT STD_INFO] WINDOWS\webui\https.dll (Offset: 0x109cf7a8)"
Tue Nov 27 2012 01:11:40,0,m...,---a-----------,0,0,11737,"[ENG MFT STD_INFO] WINDOWS\webui\netstat.dll (Offset: 0x10b97400)"
Tue Nov 27 2012 01:14:48,0,macb,---a-----------,0,0,11737,"[ENG MFT FILE_NAME] WINDOWS\webui\netstat.dll (Offset: 0x10b97400)"
Tue Nov 27 2012 01:14:48,0,.acb,---a-----------,0,0,11737,"[ENG MFT STD_INFO] WINDOWS\webui\netstat.dll (Offset: 0x10b97400)"
Tue Nov 27 2012 01:26:47,0,macb,---a-----------,0,0,11738,"[ENG MFT FILE_NAME] WINDOWS\webui\system5.bat (Offset: 0x10b97800)"
Tue Nov 27 2012 01:26:47,0,macb,---a-----------,0,0,11738,"[ENG MFT STD_INFO] WINDOWS\webui\system5.bat (Offset: 0x10b97800)"
Tue Nov 27 2012 01:26:47,0,mac.,---------------,0,0,7556,"[ENG MFT STD_INFO] WINDOWS\webui (Offset: 0x1bc21000)"
Tue Nov 27 2012 01:27:03,0,.a..,---a-----------,0,0,11725,"[ENG MFT STD_INFO] WINDOWS\webui\wc.exe (Offset: 0x1f5ff400)"
GS, RA, SL and WC.exe ran in close proximity to our compromise time of 23:01:53
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | egrep -i '(GS|RA|SL)+.EXE-+'
Sat Nov 24 2012 18:06:27,0,macb,---a-------I---,0,0,11583,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\MSMSGS.EXE-2B6052DE.pf (Offset: 0xff0cc00)"
Mon Nov 26 2012 23:10:35,0,macb,---a-------I---,0,0,11729,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\SL.EXE-010E2A23.pf (Offset: 0x311400)"
Mon Nov 26 2012 23:11:58,0,macb,---a-------I---,0,0,11730,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\GS.EXE-3796DDD9.pf (Offset: 0x311800)"
Other?
Mon Nov 26 2012 23:11:58,.a..,[ENG Registry] SECURITY\Policy\Secrets
SECURITY\Policy\Secrets contains Local Security Authority (LSA) secrets
Dumps cached domain hashes from memory
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 cachedump
Volatility Foundation Volatility Framework 2.4
administrator:00c2bcc2230054581d3551a9fdcf4893:petro-market:petro-market.org
callb:178526e1cb2fdfc36d764595f1ddd0f7:petro-market:petro-market.org
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 filescan | grep -i gs.exe
Volatility Foundation Volatility Framework 2.4
0x00000000020bb938 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\webui\gs.exe
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 dumpfiles -Q 0x020bb938 -D ENG_OUT/
Volatility Foundation Volatility Framework 2.4
ImageSectionObject 0x020bb938 None \Device\HarddiskVolume1\WINDOWS\webui\gs.exe
DataSectionObject 0x020bb938 None \Device\HarddiskVolume1\WINDOWS\webui\gs.exe
[root&jackcr-challenge]#strings -a -el ENG_OUT/file.None.0x822cf6e8.img > gsStrings
[root&jackcr-challenge]#strings -a ENG_OUT/file.None.0x822cf6e8.img >> gsStrings
[root&jackcr-challenge]#cat gs.strings
SECURITY\Policy\Secrets
rerror [
error:
info: you must run as LocalSystem to dump LSA secrets
kerberos tickets dump is not yet available
crap :)
ntdll.dll
crap#! :)
ycrap! :(
crap! :)
ycrap!? :)
[snip]
unable to start gsecdump as service
system
help
dump_all,a
dump all secrets
dump_hashes,s
dump hashes from SAM/AD
dump_lsa,l
dump lsa secrets
dump_usedhashes,u
dump hashes from active logon sessions
dump_wireless,w
dump microsoft wireless connections
help,h
show help
system,S
run as localsystem
gsecdump v0.7 by Johannes Gumbel ([email protected])
usage: gsecdump [options]
gs.exe is gsecdump (from book)
Networking executables are good indicator
Look for symlinks with symlinkscan!
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 symlinkscan | grep -i [a-zA-Z]:
Volatility Foundation Volatility Framework 2.4
0x0000000002707bd8 1 0 2012-11-26 22:03:21 UTC+0000 C: \Device\HarddiskVolume1
0x00000000056eb400 1 0 2012-11-26 22:03:27 UTC+0000 A: \Device\Floppy0
0x000000000578d4a8 1 0 2012-11-26 22:03:27 UTC+0000 D: \Device\CdRom0
0x0000000005aaf1b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000000ab96398 1 0 2012-11-27 01:56:50 UTC+0000 R: \Device\LanmanRedirector\;R:0...00c21e\172.16.150.10\ITShare
0x000000000b0a3608 1 0 2012-11-27 00:48:19 UTC+0000 Z: \Device\LanmanRedirector\;Z:00000000000003e7\172.16.223.47\z
0x00000000194ffbd8 1 0 2012-11-26 22:03:21 UTC+0000 C: \Device\HarddiskVolume1
0x00000000196f0bd8 1 0 2012-11-26 22:03:21 UTC+0000 C: \Device\HarddiskVolume1
0x000000001c8931b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001ce5c1b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001d2cf1b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001d4e21b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001d7d51b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001db881b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001ddbb1b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001e2501b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001e6ad1b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
Tue Nov 27 2012 00:48:19,.a..,[ENG Registry] $$$PROTO.HIV\Network
Tue Nov 27 2012 00:48:19,macb,[ENG SYMLINK] Z:->\Device\LanmanRedirector\;Z:00000000000003e7\172.16.223.47\z POffset: 185218568/tr: 1/Hnd: 0
Tue Nov 27 2012 00:49:28,.a..,[ENG Registry] $$$PROTO.HIV\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2##172.16.223.47#z
Network drives are in Network\
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 printkey -K "network\z"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: z (S)
Last updated: 2012-11-27 00:48:20 UTC+0000
Subkeys:
Values:
REG_SZ RemotePath : (S) \\172.16.223.47\z
REG_SZ UserName : (S) PETRO-MARKET\ENG-USTXHOU-148$
REG_SZ ProviderName : (S) Microsoft Windows Network
REG_DWORD ProviderType : (S) 131072 #LanMan
REG_DWORD ConnectionType : (S) 1 #drive redirection
REG_DWORD DeferFlags : (S) 4 #DeferFlags (creds saved)
Tue Nov 27 2012 01:26:47,macb,[ENG MFT FILE_NAME] WINDOWS\webui\system5.bat (Offset: 0x10b97800)
System5.bat is resident in the MFT
[root&jackcr-challenge]#cat ENG_FILES/*0x10b97800* -n
1 @echo off
2 copy c:\windows\webui\wc.exe c:\windows\system32
3 at 19:30 wc.exe -e -o h.out
At.exe schedules jobs
Tue Nov 27 2012 01:27:03,macb,[ENG MFT FILE_NAME] WINDOWS\Tasks\At1.job (Offset: 0x12ab2000)
Tue Nov 27 2012 01:27:03,macb,[ENG MFT FILE_NAME] WINDOWS\Prefetch\AT.EXE-2770DD18.pf (Offset: 0x12ab2400)
Microsoft\SchedulingAgent gets updated with jobs
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 printkey -K "Microsoft\SchedulingAgent"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Key name: SchedulingAgent (S)
Last updated: 2012-11-27 01:30:00 UTC+0000
Subkeys:
Values:
REG_EXPAND_SZ TasksFolder : (S) %SystemRoot%\Tasks
REG_EXPAND_SZ LogPath : (S) %SystemRoot%\SchedLgU.Txt
REG_DWORD MinutesBeforeIdle : (S) 15
REG_DWORD MaxLogSizeKB : (S) 32
REG_SZ OldName : (S) ENG-USTXHOU-148
REG_DWORD DataVersion : (S) 3
REG_DWORD PriorDataVersion : (S) 0
REG_BINARY LastTaskRun : (S)
0x00000000 dc 07 0b 00 01 00 1a 00 13 00 1e 00 01 00 00 00 ................
LastTaskRun is updated when a task runs!
[root&jackcr-challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i h.out
Tue Nov 27 2012 01:30:00,560,macb,,0,0,11742,[ENG MFT FILE_NAME] WINDOWS\system32\h.out (Offset: 0x12ab2800)
[root&jackcr-challenge]#cat ENG_FILES/*0x12ab2800*
callb:PETRO-MARKET:115B24322C11908C85140F5D33B6232F:40D1D232D5F731EA966
913EA458A16E7
ENG-USTXHOU-148$:PETRO-MARKET:00000000000000000000000000000000:D6717F1E
5252FA87ED40AF8C46D8B1E2
sysbackup:current:C2A3915DF2EC79EE73108EB48073ACB7:E7A6F270F1BA562A90E2
C133A95D2057
Look for SYMANTEC-1.43-1[2].EXE on all machines!
[root&jackcr-challenge]#grep -Hi symantec IIS_all FLD_all | cut -d\| -f1,2
FLD_all:0|[MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-330FB7E3.pf
(Offset: 0x1d75cc00)
Looking into FLD-SARIYADH-43, 6to4 was also created and some artifacts are similar.
Tue Nov 27 2012 00:31:39,macb,[FLD MFT FILE_NAME] WINDOWS\system1.bat
(Offset: 0x1787f000)
Tue Nov 27 2012 00:33:32,macb,[FLD MFT FILE_NAME]
WINDOWS\Prefetch\PS.EXE-09745CC1.pf (Offset: 0x1787f400)
Tue Nov 27 2012 00:43:45,macb,[FLD MFT FILE_NAME] WINDOWS\system6.bat
(Offset: 0x1787f800)
Tue Nov 27 2012 00:43:45,macb,[FLD MFT STD_INFO] WINDOWS\system6.bat
(Offset: 0x1787f800)
Tue Nov 27 2012 00:53:29,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system2.bat
(Offset: 0x1787fc00)
Tue Nov 27 2012 00:59:00,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system3.bat
(Offset: 0x1b773000)
Tue Nov 27 2012 01:04:59,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system4.bat
(Offset: 0x1b773400)
Tue Nov 27 2012 01:19:41,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system5.bat
(Offset: 0x1b773800)
[root&jackcr-challenge]#cat *0x1787f000*
@echo off
mkdir c:\windows\webui
net share z=c:\windows\webui /GRANT:sysbackup,FULL
[root&jackcr-challenge]#cat *0x1787f800*
@echo off
ipconfig /all >> c:\windows\webui\system.dll
net share >> c:\windows\webui\system.dll
net start >> c:\windows\webui\system.dll
net view >> c:\windows\webui\system.dll
[snip]
[root&jackcr-challenge]#cat *0x1b773400*
@echo off
c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r
c:\windows\webui\netstat.dll "C:\Engineering\Designs\Pumps" -x*.dll
Lots of indicators of compromise
New services, malicious executable ran, files zipped...
Did anything get exfiltrated?
What about network traffic?
Recall 58.64.132.141 was the IDS alert
[root&jackcr-challenge]#cat networking.body | tr -d '\000' | grep 58.64.132.141
Mon Nov 26 2012 23:01:58,0,macb,0,0,0,108494,[PCAP file] (Time Written) <172.16.150.20> TCP SYN packet 172.16.150.20:1097 -> 58.64.132.141:80
seq [2669490555] (file: jackcr-challenge.pcap)
Mon Nov 26 2012 23:01:58,0,macb,0,0,0,108494,[PCAP file] (Time Written) <172.16.150.20> TCP packet flags [0x10: ACK ] 172.16.150.20:1097 -> 58.64.132.141:80 seq [2669490556] (file: jackcr-challenge.pcap)
Mon Nov 26 2012 23:01:58,0,macb,0,0,0,108494,[PCAP file] (Time Written) <172.16.150.20> TCP packet flags [0x10: ACK ] 172.16.150.20:1097-> 58.64.132.141:80 seq [2669490715] (file: jackcr-challenge.pcap)
Gh0st RAT can be decoded with ChopShop a Protocol Analysis/Decoder Framework.
Requires some dependencies...
[root&pynids]#git clone https://github.com/MITRECND/pynids && cd pynids
[root&pynids]#chmod +x setup.py
[root&pynids]#./setup.py build && ./setup.py install
Then Run it!
[root&jackcr-challenge]#/opt/chopshop/chopshop -f jackcr-challenge.pcap gh0st_decode -F decrypted.txt
[root&jackcr-challenge]#cat decrypted.txt
TOKEN: LOGIN: eng-ustxhou-148: Windows XP Service Pack 3 - Build: 2600 - Clock: 3056 Mhz - IP: 172.16.150.20 Webcam: no
COMMAND: ACTIVED
COMMAND: SHELL
TOShutting Down Modules ...
Shutting Down gh0st_decode
Module Shutdown Complete ...
ChopShop Complete
Look at all the things...
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.150.20
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.150.2
C:\WINDOWS\webui>
net view >> netuse.dll
net view >> netuse.dll
wc.exe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa ([email protected])
Use -h for help.
Changing NTLM credentials of current logon session (000003E7h) to:
Username: sysbackup
domain: current
LMHash: c2a3915df2ec79ee73108eb48073acb7
NTHash: e7a6f270f1ba562a90e2c133a95d2057
NTLM credentials successfully changed!
C:\WINDOWS\webui>
net use z: \\172.16.223.47\z
[snip]
COMMAND: FILE SIZE (C:\WINDOWS\ps.exe: 381816)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
[snip]
COMMAND: FILE SIZE (C:\WINDOWS\webui\gs.exe: 303104)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
The book used a modified gh0st_decode module that put pcap information into a timeline...
$ chopshop -f jackcr-challenge.pcap gh0st_decode_body -F decrypted.body
Mon Nov 26 2012 23:07:31,macb,[Gh0st Decode]
172.16.150.20:1098->58.64.132.141:80 SHELL: ipconfig /all >> netuse.dll
Mon Nov 26 2012 23:07:31,.a..,[ENG MFT STD_INFO] WINDOWS\system32\iertutil.dll
(Offset: 0x5ba2800)
Mon Nov 26 2012 23:07:31,.a..,[ENG MFT STD_INFO] WINDOWS\system32\urlmon.dll
(Offset: 0x328a800)
Winrar into netstat.dll!
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 COMMAND: DOWN FILES
(C:\WINDOWS\webui\netstat.dll)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: FILE DATA (2713)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: FILE DATA (8183)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: FILE SIZE
(C:\WINDOWS\webui\netstat.dll: 109092)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: TRANSFER FINISH
Mon, 26 Nov 2012 14:00:08 -0600 = E-mail sent
Mon Nov 26 2012 23:01:53 : Download of Symantec-1.43-1.exe from phishing
Mon Nov 26 2012 23:01:54: Symantec-1.43-1.exe runs
Mon Nov 26 2012 23:01:54: Registry updated and 6to4 added as service, threads started on svchost.exe
Mon Nov 26 2012 23:11:58: gs.exe accessed LSA secrets
Tue Nov 27 2012 00:31:39: batch files begin to get created on FLD-SARIYADH-43
Tue Nov 27 2012 00:43:45: Batch files start to run until Tue Nov 27 2012 01:19:41
Tue Nov 27 2012 01:15:44: Data extracted
Tue Nov 27 2012 01:27:03: Z:->\Device\LanmanRedirector\;Z:00000000000003e7\172.16.223.47\z mapped
Tue Nov 27 2012 01:27:03: At1.job scheduled for 19:30 with wc.exe
Analyze prefetch files because they often tell you when suspicious programs executed
Analyze the Shimcache registry keys
Look for the creation of unknown executable files and DLLs
Focus on network activity (newly opened ports and outgoing connections)
Look for creation of job files, which attackers often use to automate tasks
Once you have a point of reference, you can correlate events among other systems involved in the attack
Table of Contents | t |
---|---|
Exposé | ESC |
Full screen slides | e |
Presenter View | p |
Source Files | s |
Slide Numbers | n |
Toggle screen blanking | b |
Show/hide slide context | c |
Notes | 2 |
Help | h |