Timelining

Presenter Notes

What

Reconstructing Events through Analysis

Develop footprints to identify tools, techniques and actors

Using Volatility and external tools

Theories + Information = ????

Presenter Notes

Timestamp formats

WinTimeStamp

  • 8-bytes
  • 100-nanosecond intervals since Janurary 1, 1601 UTC

UnixTimeStamp

  • 4-bytes
  • seconds since Janurary 1, 1970 UTC

DosDate

  • 4-bytes
  • Shortcut files and registry data

Presenter Notes

Timestamp Sources

System Tie

Process start and end times

Thread start and end times

Symlink creation

Registry key

Disk Artifacts

MRU Lists

PE compilation time

Socket creation

Event logs

Presenter Notes

Volatility and Timelining

Timeliner

timeliner 
--output-file=timeliner.txt --output=body

Mftparser

mftparser
--output-file=mft.txt --output=body

Shellbags

shellbags
--output-file=shellbags.txt --output=body

Presenter Notes

Timeliner

Creates a timeline from various artifacts in memory

Extracts a large number of artifacts and output options

Timestamps are in UTC by default! --tz for timezone

Output

  • text: Date/Time | Type | details
  • xlsx: Office 2007 Excel file with OpenPyxl. Time | Type | Item | Details | Reason
  • body: Usable with mactime from TSK
  • xml: Simile data-visualization

Presenter Notes

Timeliner

--type=EvtLog,IEHistory,ImageDate,LoadTime,Process,Shimcache,Socket,Symlink,Thread,TimeDateStamp,Userassist,_CMHIVE,_CM_KEY_BODY,_HBASE_BLOCK

[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 timeliner 
2010-06-25 12:42:00 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\ln.exe|  End: 2010-10-08 03:59:17 UTC+0000
2010-08-31 08:01:28 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\mkgroup.exe|  End: 2010-10-08 03:58:54 UTC+0000
2010-08-31 08:01:28 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\mkpasswd.exe|  End: 2010-10-08 03:58:54 UTC+0000
2010-06-25 12:41:49 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\cp.exe|  End: 2010-10-08 03:59:17 UTC+0000
2010-06-25 12:42:09 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\rm.exe|  End: 2010-10-08 03:59:05 UTC+0000
1970-01-01 00:00:00 UTC+0000|[SHIMCACHE]| C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll|  End: 2010-08-27 14:49:18 UTC+0000
2010-06-25 12:41:47 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\chgrp.exe|  End: 2010-10-08 03:58:54 UTC+0000
2009-03-30 16:23:54 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\install-info.exe|  End: 2010-10-08 03:59:05 UTC+0000
2010-06-25 12:41:52 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\dirname.exe|  End: 2010-10-08 03:59:16 UTC+0000
2010-08-13 16:58:31 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\sh.exe|  End: 2010-10-08 03:59:05 UTC+0000
2010-06-25 12:42:18 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\test.exe|  End: 2010-10-08 03:59:15 UTC+0000
2007-07-23 21:14:24 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\gzip.exe|  End: 2010-10-08 03:59:05 UTC+0000
2010-06-25 12:41:53 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\echo.exe|  End: 2010-10-08 03:59:17 UTC+0000
2010-06-25 12:42:19 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\touch.exe|  End: 2010-10-08 03:59:17 UTC+0000

Presenter Notes

Event Logs

[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 timeliner --type=EvtLog
Volatility Foundation Volatility Framework 2.4
2010-08-22 17:34:29 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/RSVP;QoS RSVP
2010-08-22 17:34:42 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/PSched;PSched
2010-08-22 17:34:44 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/RemoteAccess;Routing and Remote Access
2010-08-22 17:34:56 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/TermService;Terminal Services
2010-08-22 17:34:57 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/MSDTC;MSDTC
2010-08-22 17:34:57 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/MSDTC/4104/Info/N/A
[snip]

Presenter Notes

Mactime

-b <body file>
-d <each line command delimited
-z <timezone>

[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 timeliner --type=EvtLog --output=body --output-file=stuxnetEvents.body
[root&windows]#mactime -b stuxnetEvents.body -d -z UTC 
Date,Size,Type,Mode,UID,GID,Meta,File Name
Sun Aug 22 2010 13:32:25,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/EventLog/6005/Info/N/A"
Sun Aug 22 2010 13:32:25,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/EventLog/6009/Info/5.01.;2600;Service Pack 3;Uniprocessor Free"
Sun Aug 22 2010 13:32:54,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/Serial/2/Info/\Device\Serial0;\Device\Serial0"
Sun Aug 22 2010 13:32:54,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/Serial/2/Info/\Device\Serial1;\Device\Serial1"
[snip]

Presenter Notes

Mactime

Shows human readable timestamp and event

Also shows what timestamp is presented

  • m = modified time
  • a = accessed time
  • c = creation time
  • b = MFT mpodified time (for MFT entries)
  • . = missing

Presenter Notes

Disk Artifacts

Several can be used for timelining

NTFS $STANDARD_INFORMATION

  • Creation
  • Altered Time
  • Accessed Time

Prefetch files

  • When executables were executed

Trashed Files

  • Timestamp of removal

MFT

Presenter Notes

MFTParser and Mactime

[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 mftparser -D . --output=body --output-file=stuxnetMFT
Volatility Foundation Volatility Framework 2.4
Scanning for MFT entries and building directory, this can take a while
[root&windows]#mactime stuxnetMFT | tail
Thu Jun 02 2011 21:28:33        0 mac. -h-a----------- 0        0        10544    [MFT STD_INFO] DOCUME~1\Administrator\NTUSER~1.LOG (Offset: 0x3f7b000)
Thu Jun 02 2011 21:29:13        0 .a.. --------------- 0        0        82621    [MFT STD_INFO] Python26\Lib\lib2to3 (Offset: 0x15b45400)
                                0 .a.. --------------- 0        0        82632    [MFT STD_INFO] Python26\Lib\lib2to3\tests (Offset: 0x1eb87000)
                                0 .a.. --------------- 0        0        82643    [MFT STD_INFO] Python26\Lib\lib2to3\tests\data (Offset: 0x1ea89c00)
                                0 .a.. --------------- 0        0        82650    [MFT STD_INFO] Python26\Lib\lib2to3\tests\data\fixers (Offset: 0x11e4b800)
Thu Jun 02 2011 21:30:14        0 .a.. r-------------- 0        0        6279     [MFT STD_INFO] DOCUME~1\ALLUSE~1\DOCUME~1\MYPICT~1\SAMPLE~1 (Offset: 0x236bc00)
Thu Jun 02 2011 21:31:35        0 .a.. r--a----------- 0        0        10932    [MFT STD_INFO] PROGRA~1\VMware\VMWARE~1\SUSPEN~1.BAT (Offset: 0x3fd6000)
                           389120 .ac. ---a----------- 0        0        2121     [MFT STD_INFO] WINDOWS\system32\cmd.exe (Offset: 0x3f44400)
                                0 .a.. ---a----------- 0        0        94638    [MFT STD_INFO] Documents and Settings\Administrator\Desktop\IDAPRO~1.LNK (Offset: 0x3fe9800)
Thu Jun 02 2011 21:31:36        0 m.c. -h-a----------- 0        0        3646     [MFT STD_INFO] WINDOWS\system32\config\software.LOG (Offset: 0x40c1800)

Presenter Notes

Focus Points

Prefetch: execution results

  • Some windows OS disable prefetch by default
  • SSD disables prefetch

Shimcache registry keys

  • When programs were executed

Network Activity

  • Socket creation

Presenter Notes

More Focus Points

Job files

  • Jobs with "at" command

Registry Keys

  • Modified time, creation time...
  • Service creation
  • Persistence Mechanisms

Disk Artifacts

Shellbags

  • User window viewing
  • MRU Lists
  • Network shares

Presenter Notes

Gh0st in the Enterprise

Walk-through from the text.

Starts @ Page 543

Presenter Notes

Gh0st in the Enterprise

Forensics challenge hosted by Jack Crook for 2012 DFIR Challenge

An organization is the victim of a targeted attack and attackers moved between machines.

An IDS alert flagged traffic from ENG-USTXHOU-148 to an IP 58.64.132.141

Machines:

  • ENG-USTXHOU-148: 172.16.150.20 / WinXPSP3x86
  • FLD-SARIYADH-43: 172.16.223.187 / WinXPSP3x86
  • IIS-SARIYADH-03: 172.16.223.47 / Win2003SP0x86

Presenter Notes

Timeliner

Combine timeliner from multiple machines!

--machine adds a name to the timeline header

[root&jackcr-challenge]#volatility -f IIS-SARIYADH-03/memdump.bin  --profile=Win2003SP0x86 mftparser --output=body -D IIS_FILES/ --machine=IIS --output-file=challenge/IIS_mft.body

[root&jackcr-challenge]#volatility -f IIS-SARIYADH-03/memdump.bin --profile=Win2003SP0x86 timeliner --output=body --machine=IIS --output-file=challenge/IIS_timeliner.body


[root&jackcr-challenge]#volatility -f IIS-SARIYADH-03/memdump.bin --profile=Win2003SP0x86 shellbags --output=body --machine=IIS --output-file=challenge/IIS_shellbags.body

Do the same for all three machines. . .

Presenter Notes

Log2timeline

Extract data from

  • event logs
  • registry files
  • prefetch files
  • recycle bin
  • packet captures (pcaps)

Can be run against a disk images or files that have been dumped from the image

Presenter Notes

Packet Capture Data

log2timeline can create a timeline from data in a pcap

[root&jackcr-challenge]#log2timeline -f pcap -z UTC jackcr-challenge.pcap -w IIS_pcap.body

Combine all logs into one file!

[root&challenge]#cat IIS_* >> IIS_logs.body

Presenter Notes

Vector of Compromise

ENG-USTXHOU-148 was in IDS alert from IP 58.64.132.141

PID 1024 has two connections to 58.64.132.141

[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin imageinfo
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.4
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x01f60850 0.0.0.0:0                 1.0.0.0:0                 36569092
0x01ffa850 172.16.150.20:1291        58.64.132.141:80          1024
0x0201f850 172.16.150.20:1292        172.16.150.10:445         4
0x02084e68 172.16.150.20:1281        172.16.150.10:389         628
0x020f8988 172.16.150.20:2862        172.16.150.10:135         696
0x02201008 172.16.150.20:1280        172.16.150.10:389         628
0x18615850 172.16.150.20:1292        172.16.150.10:445         4
0x189e8850 172.16.150.20:1291        58.64.132.141:80          1024
0x18a97008 172.16.150.20:1280        172.16.150.10:389         628
0x18b8e850 0.0.0.0:0                 1.0.0.0:0                 36569092
0x18dce988 172.16.150.20:2862        172.16.150.10:135         696
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 pslist -p 1024
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x820b3da0 svchost.exe            1024    680     76     1645      0      0 2012-11-26 22:03:32 UTC+0000

Presenter Notes

Executed Programs

Using the ENG_logs.body file we generated let's look at prefetch files

[root&challenge]#grep -i pf ENG_logs.body  | grep -i exe | cut -d\| -f2
[ENG MFT FILE_NAME] WINDOWS\Prefetch\NETEXE~1.PF (Offset: 0x12d588)
[ENG MFT STD_INFO] WINDOWS\Prefetch\NETEXE~1.PF (Offset: 0x12d588)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\NET.EXE-01A53C2F.pf (Offset: 0x12d588)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\SLEXE-~1.PF (Offset: 0x311400)
[ENG MFT STD_INFO] WINDOWS\Prefetch\SLEXE-~1.PF (Offset: 0x311400)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\SL.EXE-010E2A23.pf (Offset: 0x311400)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\GSEXE-~1.PF (Offset: 0x311800)
[ENG MFT STD_INFO] WINDOWS\Prefetch\GSEXE-~1.PF (Offset: 0x311800)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\GS.EXE-3796DDD9.pf (Offset: 0x311800)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\PING.EXE-31216D26.pf (Offset: 0x311c00)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\MDDEXE~1.PF (Offset: 0x230ed10)
[ENG MFT STD_INFO] WINDOWS\Prefetch\MDDEXE~1.PF (Offset: 0x230ed10)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\MDD.EXE-07B34726.pf (Offset: 0x230ed10)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf (Offset: 0x3234c00)
[snip]
[ENG MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-3793B625.pf (Offset: 0x17779800)

Some look suspicious.... SL.EXE, GS.EXE, PS.EXE and SYMANTEC-1.43-1[2].EXE.

There is also AT.exe (scheduling) and PING and NET....

Presenter Notes

Chronological Order

Note: grep thought I had a binary file...

[root&challenge]#mactime -b ENG_logs.body -d -z UTC > ENG_logsOrdered.body
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i symantec
26 2012 23:01:53,macb,[ENG IEHISTORY] explorer.exe->Visited: [email protected]://58.64.132.8/download/Symantec-1.43-1.exe PID: 284/Cache type "URL " at 0x2895000
Mon Nov 26 2012 23:01:54,0,macb,---a-------I---,0,0,11722,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-3793B625.pf (Offset

Download of Symantec-1.43-1.exe at 23:01:53 and execution of it at 23:01:54....

[root&challenge]#whois 58.64.132.8
[snip]
address:        Hong Kong
[snip]

Presenter Notes

E-mail artifacts

Running strings on the memdump shows an e-mail with the link to the Symantec executable

[root&jackcr-challenge]#strings -td -a ENG-USTXHOU-148/memdump.bin > ENG_strings.txt
[root&jackcr-challenge]#cat ENG_strings.txt | grep -i received:
34435239 Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
[root&jackcr-challenge]#cat ENG_strings.txt | grep 34435239 -B 1 -A 100
34435204         Mon, 26 Nov 2012 14:00:08 -0600
34435239 Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
34435306        by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
34435388        Mon, 26 Nov 2012 15:00:07 -0500
34435422 Message-ID: <[email protected]>
34435477 From: "Security Department" <[email protected]>
34435531 To: <[email protected]>, <[email protected]>,
34435588         <[email protected]>
34435624 Subject: Immediate Action
34435651 Date: Mon, 26 Nov 2012 14:59:38 -0500
34435690 MIME-Version: 1.0
34435709 Content-Type: multipart/alternative;
34435747        boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
34435802 X-Priority: 3
34435817 X-MSMail-Priority: Normal
34435844 X-Mailer: Microsoft Outlook Express 6.00.2900.5512
34435896 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
34435954 Return-Path: [email protected]
34435991 X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
34436078 This is a multi-part message in MIME format.
34436126 ------=_NextPart_000_0015_01CDCBE6.A7B92DE0
34436171 Content-Type: text/plain;
34436198        charset="iso-8859-1"
34436221 Content-Transfer-Encoding: quoted-printable
34436268 Attn: Immediate Action is Required!!
34436308 The IS department is requiring that all associates update to the new =
34436380 version of anti-virus.  This is critical and must be done ASAP!  Failure =
34436456 to update anti-virus may result in negative actions.
34436512 Please download the new anti-virus and follow the instructions.  Failure =
34436588 to install this anti-virus may result in loosing your job!
34436650 Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
34436720 Regards,
34436730 The IS Department

Presenter Notes

Lolz

Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus.  This is critical and must be done ASAP!  Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions.  Failure =
to install this anti-virus may result in loosing your job!
Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
Regards,
The IS Department

Presenter Notes

Anything else near file download?

[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i 23:01:54
Mon Nov 26 2012 23:01:54,0,macb,---a-------I---,0,0,11722,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-3793B625.pf (Offset: 0x17779800)"
Mon Nov 26 2012 23:01:54,100895,.ac.,---a-----------,0,0,8610,"[ENG MFT FILE_NAME] WINDOWS\system32\6to4ex.dll (Offset: 0x324c800)"
Mon Nov 26 2012 23:01:54,100895,.ac.,-h-------------,0,0,8610,"[ENG MFT STD_INFO] WINDOWS\system32\6to4ex.dll (Offset: 0x324c800)"

6to4ex.dll seems odd...

Presenter Notes

Registry Artifacts

Extract registry hives with dumpfiles and use timeline.py from python-registry

#!/bin/bash
volatility=/opt/volatility-2.4/volatility-2.4/vol.py
timeline=/opt/python-registry/sample/timeline.py
file=jackcr-challenge/ENG-USTXHOU-148/memdump.bin
loc=challenge/REG/ENG-USTXHOU-148/
short='echo ENG-USTXHOU-148 |cut -d\- -f1'
mkdir -p $loc
    for i in config.system config.security config.sam \
  config.default config.software ntuser.dat usrclass.dat
do
 $volatility -f $file --profile WinXPSP2x86 dumpfiles -i -r $i\$ -D $loc
done
find $loc -type f -exec python $timeline \
  --body '{}' >> $loc \;
    cat $loc.temp |sed "s/\[Registry None/\[$short Registry/" \
      >> $loc.registry.body
rm $loc.temp

Presenter Notes

6to4ex.dll

[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i 23:01:54
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Enum\Root\LEGACY_6TO4
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Enum\Root\LEGACY_6TO4\0000
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Services\6to4\Parameters
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Services\6to4\Security

Presenter Notes

More enumeration

DLL runs inside svchost.exe

[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 printkey -K "ControlSet001\Services\6to4"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: 6to4 (S)
Last updated: 2012-11-26 23:01:55 UTC+0000

Subkeys:
  (S) Parameters
  (S) Security
  (V) Enum

Values:
REG_DWORD     Type            : (S) 288
REG_DWORD     Start           : (S) 2
REG_DWORD     ErrorControl    : (S) 1
REG_EXPAND_SZ ImagePath       : (S) %SystemRoot%\System32\svchost.exe -k netsvcs
REG_SZ        DisplayName     : (S) Microsoft Device Manager
REG_SZ        ObjectName      : (S) LocalSystem
REG_SZ        Description     : (S) Service Description

Presenter Notes

Parameters?

[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 printkey -K "ControlSet001\Services\6to4\Parameters"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: Parameters (S)
Last updated: 2012-11-26 23:01:54 UTC+0000

Subkeys:

Values:
REG_EXPAND_SZ ServiceDll      : (S) C:\WINDOWS\system32\6to4ex.dll

Presenter Notes

Other events around 23:01:54?

[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep 23:01:54
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 276
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 508
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 528
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 536
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 652
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 936

Presenter Notes

DLL Loaded?

[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 dlllist -p 1024
Volatility Foundation Volatility Framework 2.4
************************************************************************
svchost.exe pid:   1024
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Pack 3

Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x01000000     0x6000     0xffff C:\WINDOWS\System32\svchost.exe
0x7c900000    0xaf000     0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll
[snip]
0x10000000    0x1c000        0x1 c:\windows\system32\6to4ex.dll

Presenter Notes

Service load order?

[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 svcscan
Offset: 0x389d60
Order: 228
Start: SERVICE_AUTO_START
Process ID: 1024
Service Name: 6to4
Display Name: Microsoft Device Manager
Service Type: SERVICE_WIN32_SHARE_PROCESS
Service State: SERVICE_RUNNING
Binary Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Presenter Notes

Finding an Active Attacker

ipconfig.exe was used...

Mon Nov 26 2012 23:03:21,55808,.a..,---a-----------,0,0,24145,"[ENG MFT STD_INFO] WINDOWS\system32\ipconfig.exe (Offset: 0xc826400)"

WINDOWS/webui appears

Mon Nov 26 2012 23:03:10,macb,[ENG MFT FILE_NAME] WINDOWS\webui (Offset: 0x1bc21000)

net.exe was used

Mon Nov 26 2012 23:07:53,macb,[ENG MFT FILE_NAME] WINDOWS\Prefetch \NET.EXE-01A53C2F.pf (Offset: 0x12d588)

Presenter Notes

Webui?

[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i webui
Mon Nov 26 2012 23:03:10,0,macb,-------------D-,0,0,7556,"[ENG MFT FILE_NAME] WINDOWS\webui (Offset: 0x1bc21000)"
Mon Nov 26 2012 23:03:10,0,...b,---------------,0,0,7556,"[ENG MFT STD_INFO] WINDOWS\webui (Offset: 0x1bc21000)"
Mon Nov 26 2012 23:06:47,0,macb,---a-----------,0,0,11719,"[ENG MFT FILE_NAME] WINDOWS\webui\gs.exe (Offset: 0x16267c00)"
Mon Nov 26 2012 23:06:47,0,...b,---a-----------,0,0,11719,"[ENG MFT STD_INFO] WINDOWS\webui\gs.exe (Offset: 0x16267c00)"
Mon Nov 26 2012 23:06:48,0,mac.,---a-----------,0,0,11719,"[ENG MFT STD_INFO] WINDOWS\webui\gs.exe (Offset: 0x16267c00)"
Mon Nov 26 2012 23:06:52,0,macb,---a-----------,0,0,11723,"[ENG MFT FILE_NAME] WINDOWS\webui\ra.exe (Offset: 0x17779c00)"
Mon Nov 26 2012 23:06:52,0,macb,---a-----------,0,0,11723,"[ENG MFT STD_INFO] WINDOWS\webui\ra.exe (Offset: 0x17779c00)"
Mon Nov 26 2012 23:06:56,0,macb,---a-----------,0,0,11724,"[ENG MFT FILE_NAME] WINDOWS\webui\sl.exe (Offset: 0x1f5ff000)"
Mon Nov 26 2012 23:06:56,0,macb,---a-----------,0,0,11724,"[ENG MFT STD_INFO] WINDOWS\webui\sl.exe (Offset: 0x1f5ff000)"
Mon Nov 26 2012 23:06:59,0,macb,---a-----------,0,0,11725,"[ENG MFT FILE_NAME] WINDOWS\webui\wc.exe (Offset: 0x1f5ff400)"
Mon Nov 26 2012 23:06:59,0,m.cb,---a-----------,0,0,11725,"[ENG MFT STD_INFO] WINDOWS\webui\wc.exe (Offset: 0x1f5ff400)"
Mon Nov 26 2012 23:07:31,0,macb,---a-----------,0,0,11726,"[ENG MFT FILE_NAME] WINDOWS\webui\netuse.dll (Offset: 0xde4e48)"
Mon Nov 26 2012 23:07:31,0,macb,---a-----------,0,0,11726,"[ENG MFT STD_INFO] WINDOWS\webui\netuse.dll (Offset: 0xde4e48)"
Tue Nov 27 2012 00:44:16,0,m...,---a-----------,0,0,11734,"[ENG MFT STD_INFO] WINDOWS\webui\system.dll (Offset: 0x924e800)"
Tue Nov 27 2012 00:49:01,0,macb,---a-----------,0,0,11734,"[ENG MFT FILE_NAME] WINDOWS\webui\system.dll (Offset: 0x924e800)"
Tue Nov 27 2012 00:49:01,0,.acb,---a-----------,0,0,11734,"[ENG MFT STD_INFO] WINDOWS\webui\system.dll (Offset: 0x924e800)"
Tue Nov 27 2012 00:56:43,0,m...,---a-----------,0,0,11735,"[ENG MFT STD_INFO] WINDOWS\webui\svchost.dll (Offset: 0x924ec00)"
Tue Nov 27 2012 00:57:20,0,macb,---a-----------,0,0,11735,"[ENG MFT FILE_NAME] WINDOWS\webui\svchost.dll (Offset: 0x924ec00)"
Tue Nov 27 2012 00:57:20,0,.acb,---a-----------,0,0,11735,"[ENG MFT STD_INFO] WINDOWS\webui\svchost.dll (Offset: 0x924ec00)"
Tue Nov 27 2012 01:01:39,0,macb,---a-----------,0,0,11736,"[ENG MFT FILE_NAME] WINDOWS\webui\https.dll (Offset: 0x109cf7a8)"
Tue Nov 27 2012 01:01:39,0,macb,---a-----------,0,0,11736,"[ENG MFT STD_INFO] WINDOWS\webui\https.dll (Offset: 0x109cf7a8)"
Tue Nov 27 2012 01:11:40,0,m...,---a-----------,0,0,11737,"[ENG MFT STD_INFO] WINDOWS\webui\netstat.dll (Offset: 0x10b97400)"
Tue Nov 27 2012 01:14:48,0,macb,---a-----------,0,0,11737,"[ENG MFT FILE_NAME] WINDOWS\webui\netstat.dll (Offset: 0x10b97400)"
Tue Nov 27 2012 01:14:48,0,.acb,---a-----------,0,0,11737,"[ENG MFT STD_INFO] WINDOWS\webui\netstat.dll (Offset: 0x10b97400)"
Tue Nov 27 2012 01:26:47,0,macb,---a-----------,0,0,11738,"[ENG MFT FILE_NAME] WINDOWS\webui\system5.bat (Offset: 0x10b97800)"
Tue Nov 27 2012 01:26:47,0,macb,---a-----------,0,0,11738,"[ENG MFT STD_INFO] WINDOWS\webui\system5.bat (Offset: 0x10b97800)"
Tue Nov 27 2012 01:26:47,0,mac.,---------------,0,0,7556,"[ENG MFT STD_INFO] WINDOWS\webui (Offset: 0x1bc21000)"
Tue Nov 27 2012 01:27:03,0,.a..,---a-----------,0,0,11725,"[ENG MFT STD_INFO] WINDOWS\webui\wc.exe (Offset: 0x1f5ff400)"

Presenter Notes

Mon Nov 26 2012 23:06:47->23:06:59

GS, RA, SL and WC.exe ran in close proximity to our compromise time of 23:01:53

[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | egrep -i '(GS|RA|SL)+.EXE-+'
Sat Nov 24 2012 18:06:27,0,macb,---a-------I---,0,0,11583,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\MSMSGS.EXE-2B6052DE.pf (Offset: 0xff0cc00)"
Mon Nov 26 2012 23:10:35,0,macb,---a-------I---,0,0,11729,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\SL.EXE-010E2A23.pf (Offset: 0x311400)"
Mon Nov 26 2012 23:11:58,0,macb,---a-------I---,0,0,11730,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\GS.EXE-3796DDD9.pf (Offset: 0x311800)"

Other?

Mon Nov 26 2012 23:11:58,.a..,[ENG Registry] SECURITY\Policy\Secrets

Presenter Notes

GS.exe

SECURITY\Policy\Secrets contains Local Security Authority (LSA) secrets

cachedump

Dumps cached domain hashes from memory

[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 cachedump
Volatility Foundation Volatility Framework 2.4
administrator:00c2bcc2230054581d3551a9fdcf4893:petro-market:petro-market.org
callb:178526e1cb2fdfc36d764595f1ddd0f7:petro-market:petro-market.org

Presenter Notes

Did GS.exe get LSA?

[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 filescan | grep -i gs.exe
Volatility Foundation Volatility Framework 2.4
0x00000000020bb938      1      0 R--r-d \Device\HarddiskVolume1\WINDOWS\webui\gs.exe
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 dumpfiles -Q 0x020bb938 -D ENG_OUT/
Volatility Foundation Volatility Framework 2.4
ImageSectionObject 0x020bb938   None   \Device\HarddiskVolume1\WINDOWS\webui\gs.exe
DataSectionObject 0x020bb938   None   \Device\HarddiskVolume1\WINDOWS\webui\gs.exe
[root&jackcr-challenge]#strings -a -el ENG_OUT/file.None.0x822cf6e8.img > gsStrings
[root&jackcr-challenge]#strings -a ENG_OUT/file.None.0x822cf6e8.img >> gsStrings
[root&jackcr-challenge]#cat gs.strings
SECURITY\Policy\Secrets
rerror [
error:
info: you must run as LocalSystem to dump LSA secrets
kerberos tickets dump is not yet available
crap :)
ntdll.dll
crap#! :)
ycrap! :(
crap! :)
ycrap!? :)
[snip]
unable to start gsecdump as service
system
help
dump_all,a
dump all secrets
dump_hashes,s
dump hashes from SAM/AD
dump_lsa,l
dump lsa secrets
dump_usedhashes,u
dump hashes from active logon sessions
dump_wireless,w
dump microsoft wireless connections
help,h
show help
system,S
run as localsystem
gsecdump v0.7 by Johannes Gumbel ([email protected])
usage: gsecdump [options]

Presenter Notes

gs.exe is gsecdump (from book)

Remote File Shares

Networking executables are good indicator

Look for symlinks with symlinkscan!

  • [a-zA-Z]: are drives

Presenter Notes

Remote File Shares

[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 symlinkscan | grep -i [a-zA-Z]:
Volatility Foundation Volatility Framework 2.4
0x0000000002707bd8      1      0 2012-11-26 22:03:21 UTC+0000   C:                   \Device\HarddiskVolume1
0x00000000056eb400      1      0 2012-11-26 22:03:27 UTC+0000   A:                   \Device\Floppy0
0x000000000578d4a8      1      0 2012-11-26 22:03:27 UTC+0000   D:                   \Device\CdRom0
0x0000000005aaf1b8      2      1 2012-11-26 22:03:28 UTC+0000   KnownDllPath         C:\WINDOWS\system32
0x000000000ab96398      1      0 2012-11-27 01:56:50 UTC+0000   R:                   \Device\LanmanRedirector\;R:0...00c21e\172.16.150.10\ITShare
0x000000000b0a3608      1      0 2012-11-27 00:48:19 UTC+0000   Z:                   \Device\LanmanRedirector\;Z:00000000000003e7\172.16.223.47\z
0x00000000194ffbd8      1      0 2012-11-26 22:03:21 UTC+0000   C:                   \Device\HarddiskVolume1
0x00000000196f0bd8      1      0 2012-11-26 22:03:21 UTC+0000   C:                   \Device\HarddiskVolume1
0x000000001c8931b8      2      1 2012-11-26 22:03:28 UTC+0000   KnownDllPath         C:\WINDOWS\system32
0x000000001ce5c1b8      2      1 2012-11-26 22:03:28 UTC+0000   KnownDllPath         C:\WINDOWS\system32
0x000000001d2cf1b8      2      1 2012-11-26 22:03:28 UTC+0000   KnownDllPath         C:\WINDOWS\system32
0x000000001d4e21b8      2      1 2012-11-26 22:03:28 UTC+0000   KnownDllPath         C:\WINDOWS\system32
0x000000001d7d51b8      2      1 2012-11-26 22:03:28 UTC+0000   KnownDllPath         C:\WINDOWS\system32
0x000000001db881b8      2      1 2012-11-26 22:03:28 UTC+0000   KnownDllPath         C:\WINDOWS\system32
0x000000001ddbb1b8      2      1 2012-11-26 22:03:28 UTC+0000   KnownDllPath         C:\WINDOWS\system32
0x000000001e2501b8      2      1 2012-11-26 22:03:28 UTC+0000   KnownDllPath         C:\WINDOWS\system32
0x000000001e6ad1b8      2      1 2012-11-26 22:03:28 UTC+0000   KnownDllPath         C:\WINDOWS\system32

Presenter Notes

Network Share In Timeline

Tue Nov 27 2012 00:48:19,.a..,[ENG Registry] $$$PROTO.HIV\Network
Tue Nov 27 2012 00:48:19,macb,[ENG SYMLINK]     Z:->\Device\LanmanRedirector\;Z:00000000000003e7\172.16.223.47\z    POffset: 185218568/tr: 1/Hnd: 0
Tue Nov 27 2012 00:49:28,.a..,[ENG Registry] $$$PROTO.HIV\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2##172.16.223.47#z

Network drives are in Network\ key

[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 printkey -K "network\z"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: z (S)
Last updated: 2012-11-27 00:48:20 UTC+0000

Subkeys:

Values:
REG_SZ        RemotePath      : (S) \\172.16.223.47\z
REG_SZ        UserName        : (S) PETRO-MARKET\ENG-USTXHOU-148$
REG_SZ        ProviderName    : (S) Microsoft Windows Network
REG_DWORD     ProviderType    : (S) 131072 #LanMan
REG_DWORD     ConnectionType  : (S) 1      #drive redirection
REG_DWORD     DeferFlags      : (S) 4      #DeferFlags (creds saved)

Presenter Notes

Scheduled Jobs

Tue Nov 27 2012 01:26:47,macb,[ENG MFT FILE_NAME] WINDOWS\webui\system5.bat (Offset: 0x10b97800)

System5.bat is resident in the MFT

[root&jackcr-challenge]#cat ENG_FILES/*0x10b97800* -n
 1  @echo off
 2  copy c:\windows\webui\wc.exe c:\windows\system32
 3  at 19:30 wc.exe -e -o h.out

At.exe schedules jobs

Tue Nov 27 2012 01:27:03,macb,[ENG MFT FILE_NAME] WINDOWS\Tasks\At1.job (Offset: 0x12ab2000)
Tue Nov 27 2012 01:27:03,macb,[ENG MFT FILE_NAME] WINDOWS\Prefetch\AT.EXE-2770DD18.pf (Offset: 0x12ab2400)

Presenter Notes

More Scheduled Jobs

Microsoft\SchedulingAgent gets updated with jobs

[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 printkey -K "Microsoft\SchedulingAgent"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Key name: SchedulingAgent (S)
Last updated: 2012-11-27 01:30:00 UTC+0000

Subkeys:

Values:
REG_EXPAND_SZ TasksFolder     : (S) %SystemRoot%\Tasks
REG_EXPAND_SZ LogPath         : (S) %SystemRoot%\SchedLgU.Txt
REG_DWORD     MinutesBeforeIdle : (S) 15
REG_DWORD     MaxLogSizeKB    : (S) 32
REG_SZ        OldName         : (S) ENG-USTXHOU-148
REG_DWORD     DataVersion     : (S) 3
REG_DWORD     PriorDataVersion : (S) 0
REG_BINARY    LastTaskRun     : (S)
0x00000000  dc 07 0b 00 01 00 1a 00 13 00 1e 00 01 00 00 00   ................

Presenter Notes

LastTaskRun is updated when a task runs!

Wc.exe?

[root&jackcr-challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i h.out
Tue Nov 27 2012 01:30:00,560,macb,,0,0,11742,[ENG MFT FILE_NAME] WINDOWS\system32\h.out (Offset: 0x12ab2800)
[root&jackcr-challenge]#cat ENG_FILES/*0x12ab2800*
callb:PETRO-MARKET:115B24322C11908C85140F5D33B6232F:40D1D232D5F731EA966
913EA458A16E7
ENG-USTXHOU-148$:PETRO-MARKET:00000000000000000000000000000000:D6717F1E
5252FA87ED40AF8C46D8B1E2
sysbackup:current:C2A3915DF2EC79EE73108EB48073ACB7:E7A6F270F1BA562A90E2
C133A95D2057

Presenter Notes

Other machines also infected?

Look for SYMANTEC-1.43-1[2].EXE on all machines!

  • initial infection vector


[root&jackcr-challenge]#grep -Hi symantec IIS_all FLD_all | cut -d\| -f1,2
FLD_all:0|[MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-330FB7E3.pf
(Offset: 0x1d75cc00)

Looking into FLD-SARIYADH-43, 6to4 was also created and some artifacts are similar.

  • Some do differ, though

Presenter Notes

More Batch on FLD

Tue Nov 27 2012 00:31:39,macb,[FLD MFT FILE_NAME] WINDOWS\system1.bat
(Offset: 0x1787f000)
Tue Nov 27 2012 00:33:32,macb,[FLD MFT FILE_NAME]
WINDOWS\Prefetch\PS.EXE-09745CC1.pf (Offset: 0x1787f400)
Tue Nov 27 2012 00:43:45,macb,[FLD MFT FILE_NAME] WINDOWS\system6.bat
(Offset: 0x1787f800)
Tue Nov 27 2012 00:43:45,macb,[FLD MFT STD_INFO] WINDOWS\system6.bat
(Offset: 0x1787f800)
Tue Nov 27 2012 00:53:29,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system2.bat
(Offset: 0x1787fc00)
Tue Nov 27 2012 00:59:00,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system3.bat
(Offset: 0x1b773000)
Tue Nov 27 2012 01:04:59,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system4.bat
(Offset: 0x1b773400)
Tue Nov 27 2012 01:19:41,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system5.bat
(Offset: 0x1b773800)
[root&jackcr-challenge]#cat *0x1787f000*
@echo off
mkdir c:\windows\webui
net share z=c:\windows\webui /GRANT:sysbackup,FULL
[root&jackcr-challenge]#cat *0x1787f800*
@echo off
ipconfig /all >> c:\windows\webui\system.dll
net share >> c:\windows\webui\system.dll
net start >> c:\windows\webui\system.dll
net view >> c:\windows\webui\system.dll
[snip]

Presenter Notes

Data Exfil?

[root&jackcr-challenge]#cat *0x1b773400*
@echo off
c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r
c:\windows\webui\netstat.dll "C:\Engineering\Designs\Pumps" -x*.dll

Presenter Notes

Theories

Lots of indicators of compromise

New services, malicious executable ran, files zipped...

Did anything get exfiltrated?

What about network traffic?

Presenter Notes

Pcap

Recall 58.64.132.141 was the IDS alert

[root&jackcr-challenge]#cat networking.body | tr -d '\000' | grep 58.64.132.141
Mon Nov 26 2012 23:01:58,0,macb,0,0,0,108494,[PCAP file] (Time Written) <172.16.150.20> TCP SYN packet 172.16.150.20:1097 -> 58.64.132.141:80
seq [2669490555] (file: jackcr-challenge.pcap)  
Mon Nov 26 2012 23:01:58,0,macb,0,0,0,108494,[PCAP file] (Time Written) <172.16.150.20> TCP packet flags [0x10: ACK ] 172.16.150.20:1097    -> 58.64.132.141:80 seq [2669490556] (file: jackcr-challenge.pcap)
Mon Nov 26 2012 23:01:58,0,macb,0,0,0,108494,[PCAP file] (Time Written) <172.16.150.20> TCP packet flags [0x10: ACK ] 172.16.150.20:1097-> 58.64.132.141:80 seq [2669490715] (file: jackcr-challenge.pcap)

Presenter Notes

Traffic is encoded

Gh0st RAT can be decoded with ChopShop a Protocol Analysis/Decoder Framework.

Requires some dependencies...

[root&pynids]#git clone https://github.com/MITRECND/pynids && cd pynids
[root&pynids]#chmod +x setup.py
[root&pynids]#./setup.py build && ./setup.py install

Then Run it!

[root&jackcr-challenge]#/opt/chopshop/chopshop -f jackcr-challenge.pcap gh0st_decode -F decrypted.txt
[root&jackcr-challenge]#cat decrypted.txt
TOKEN: LOGIN: eng-ustxhou-148: Windows XP Service Pack 3 - Build: 2600 - Clock: 3056 Mhz - IP: 172.16.150.20 Webcam: no
COMMAND: ACTIVED
COMMAND: SHELL
TOShutting Down Modules ...
        Shutting Down gh0st_decode
Module Shutdown Complete ...
ChopShop Complete

Presenter Notes

Traffic is now decrypted

Look at all the things...

    ipconfig

    Windows IP Configuration
    Ethernet adapter Local Area Connection:
            Connection-specific DNS Suffix  . :
            IP Address. . . . . . . . . . . . : 172.16.150.20
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . : 172.16.150.2

C:\WINDOWS\webui>

net view >> netuse.dll


net view >> netuse.dll

wc.exe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa ([email protected])
Use -h for help.

Changing NTLM credentials of current logon session (000003E7h) to:
Username: sysbackup
domain: current
LMHash: c2a3915df2ec79ee73108eb48073acb7
NTHash: e7a6f270f1ba562a90e2c133a95d2057
NTLM credentials successfully changed!

C:\WINDOWS\webui>

net use z: \\172.16.223.47\z

Presenter Notes

Uploading files

[snip]
COMMAND: FILE SIZE (C:\WINDOWS\ps.exe: 381816)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
[snip]
COMMAND: FILE SIZE (C:\WINDOWS\webui\gs.exe: 303104)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE

Presenter Notes

Book Section

The book used a modified gh0st_decode module that put pcap information into a timeline...

$ chopshop -f jackcr-challenge.pcap gh0st_decode_body -F decrypted.body
Mon Nov 26 2012 23:07:31,macb,[Gh0st Decode]
172.16.150.20:1098->58.64.132.141:80 SHELL: ipconfig /all >> netuse.dll
Mon Nov 26 2012 23:07:31,.a..,[ENG MFT STD_INFO] WINDOWS\system32\iertutil.dll
(Offset: 0x5ba2800)
Mon Nov 26 2012 23:07:31,.a..,[ENG MFT STD_INFO] WINDOWS\system32\urlmon.dll
(Offset: 0x328a800)

Presenter Notes

Winrar

Winrar into netstat.dll!

Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 COMMAND: DOWN FILES
(C:\WINDOWS\webui\netstat.dll)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: FILE DATA (2713)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: FILE DATA (8183)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: FILE SIZE
(C:\WINDOWS\webui\netstat.dll: 109092)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: TRANSFER FINISH

Presenter Notes

Timeline / tl;dr for

Mon, 26 Nov 2012 14:00:08 -0600 = E-mail sent

Mon Nov 26 2012 23:01:53 : Download of Symantec-1.43-1.exe from phishing

Mon Nov 26 2012 23:01:54: Symantec-1.43-1.exe runs

Mon Nov 26 2012 23:01:54: Registry updated and 6to4 added as service, threads started on svchost.exe

Mon Nov 26 2012 23:11:58: gs.exe accessed LSA secrets

Tue Nov 27 2012 00:31:39: batch files begin to get created on FLD-SARIYADH-43

Tue Nov 27 2012 00:43:45: Batch files start to run until Tue Nov 27 2012 01:19:41

Tue Nov 27 2012 01:15:44: Data extracted

Tue Nov 27 2012 01:27:03: Z:->\Device\LanmanRedirector\;Z:00000000000003e7\172.16.223.47\z mapped

Tue Nov 27 2012 01:27:03: At1.job scheduled for 19:30 with wc.exe

Presenter Notes

More To gh0st

Presenter Notes

Tips

Analyze prefetch files because they often tell you when suspicious programs executed

Analyze the Shimcache registry keys

Look for the creation of unknown executable files and DLLs

Focus on network activity (newly opened ports and outgoing connections)

Look for creation of job files, which attackers often use to automate tasks

Once you have a point of reference, you can correlate events among other systems involved in the attack

Presenter Notes

End Of Course

Presenter Notes