Timelining
Presenter Notes
What
Reconstructing Events through Analysis
Develop footprints to identify tools, techniques and actors
Using Volatility and external tools
Theories + Information = ????
Presenter Notes
Timestamp formats
WinTimeStamp
- 8-bytes
- 100-nanosecond intervals since Janurary 1, 1601 UTC
UnixTimeStamp
- 4-bytes
- seconds since Janurary 1, 1970 UTC
DosDate
- 4-bytes
- Shortcut files and registry data
Presenter Notes
Timestamp Sources
System Tie
Process start and end times
Thread start and end times
Symlink creation
Registry key
Disk Artifacts
MRU Lists
PE compilation time
Socket creation
Event logs
Presenter Notes
Volatility and Timelining
Timeliner
timeliner
--output-file=timeliner.txt --output=body
Mftparser
mftparser
--output-file=mft.txt --output=body
Shellbags
shellbags
--output-file=shellbags.txt --output=body
Presenter Notes
Timeliner
Creates a timeline from various artifacts in memory
Extracts a large number of artifacts and output options
Timestamps are in UTC by default! --tz for timezone
Output
- text: Date/Time | Type | details
- xlsx: Office 2007 Excel file with OpenPyxl. Time | Type | Item | Details | Reason
- body: Usable with mactime from TSK
- xml: Simile data-visualization
Presenter Notes
Timeliner
--type=EvtLog,IEHistory,ImageDate,LoadTime,Process,Shimcache,Socket,Symlink,Thread,TimeDateStamp,Userassist,_CMHIVE,_CM_KEY_BODY,_HBASE_BLOCK
[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 timeliner
2010-06-25 12:42:00 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\ln.exe| End: 2010-10-08 03:59:17 UTC+0000
2010-08-31 08:01:28 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\mkgroup.exe| End: 2010-10-08 03:58:54 UTC+0000
2010-08-31 08:01:28 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\mkpasswd.exe| End: 2010-10-08 03:58:54 UTC+0000
2010-06-25 12:41:49 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\cp.exe| End: 2010-10-08 03:59:17 UTC+0000
2010-06-25 12:42:09 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\rm.exe| End: 2010-10-08 03:59:05 UTC+0000
1970-01-01 00:00:00 UTC+0000|[SHIMCACHE]| C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll| End: 2010-08-27 14:49:18 UTC+0000
2010-06-25 12:41:47 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\chgrp.exe| End: 2010-10-08 03:58:54 UTC+0000
2009-03-30 16:23:54 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\install-info.exe| End: 2010-10-08 03:59:05 UTC+0000
2010-06-25 12:41:52 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\dirname.exe| End: 2010-10-08 03:59:16 UTC+0000
2010-08-13 16:58:31 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\sh.exe| End: 2010-10-08 03:59:05 UTC+0000
2010-06-25 12:42:18 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\test.exe| End: 2010-10-08 03:59:15 UTC+0000
2007-07-23 21:14:24 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\gzip.exe| End: 2010-10-08 03:59:05 UTC+0000
2010-06-25 12:41:53 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\echo.exe| End: 2010-10-08 03:59:17 UTC+0000
2010-06-25 12:42:19 UTC+0000|[SHIMCACHE]| \??\C:\cygwin\bin\touch.exe| End: 2010-10-08 03:59:17 UTC+0000
Presenter Notes
Event Logs
[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 timeliner --type=EvtLog
Volatility Foundation Volatility Framework 2.4
2010-08-22 17:34:29 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/RSVP;QoS RSVP
2010-08-22 17:34:42 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/PSched;PSched
2010-08-22 17:34:44 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/RemoteAccess;Routing and Remote Access
2010-08-22 17:34:56 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/TermService;Terminal Services
2010-08-22 17:34:57 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/LoadPerf/1000/Info/MSDTC;MSDTC
2010-08-22 17:34:57 UTC+0000|[EVT LOG]| appevent.evt| JAN-DF663B3DBF1/N/A/MSDTC/4104/Info/N/A
[snip]
Presenter Notes
Mactime
-b <body file>
-d <each line command delimited
-z <timezone>
[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 timeliner --type=EvtLog --output=body --output-file=stuxnetEvents.body
[root&windows]#mactime -b stuxnetEvents.body -d -z UTC
Date,Size,Type,Mode,UID,GID,Meta,File Name
Sun Aug 22 2010 13:32:25,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/EventLog/6005/Info/N/A"
Sun Aug 22 2010 13:32:25,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/EventLog/6009/Info/5.01.;2600;Service Pack 3;Uniprocessor Free"
Sun Aug 22 2010 13:32:54,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/Serial/2/Info/\Device\Serial0;\Device\Serial0"
Sun Aug 22 2010 13:32:54,0,macb,---------------,0,0,0,"[EVT LOG] sysevent.evt MACHINENAME/N/A/Serial/2/Info/\Device\Serial1;\Device\Serial1"
[snip]
Presenter Notes
Mactime
Shows human readable timestamp and event
Also shows what timestamp is presented
- m = modified time
- a = accessed time
- c = creation time
- b = MFT mpodified time (for MFT entries)
- . = missing
Presenter Notes
Disk Artifacts
Several can be used for timelining
NTFS $STANDARD_INFORMATION
- Creation
- Altered Time
- Accessed Time
Prefetch files
- When executables were executed
Trashed Files
- Timestamp of removal
MFT
Presenter Notes
MFTParser and Mactime
[root&windows]#volatility -f stuxnet.vmem --profile=WinXPSP2x86 mftparser -D . --output=body --output-file=stuxnetMFT
Volatility Foundation Volatility Framework 2.4
Scanning for MFT entries and building directory, this can take a while
[root&windows]#mactime stuxnetMFT | tail
Thu Jun 02 2011 21:28:33 0 mac. -h-a----------- 0 0 10544 [MFT STD_INFO] DOCUME~1\Administrator\NTUSER~1.LOG (Offset: 0x3f7b000)
Thu Jun 02 2011 21:29:13 0 .a.. --------------- 0 0 82621 [MFT STD_INFO] Python26\Lib\lib2to3 (Offset: 0x15b45400)
0 .a.. --------------- 0 0 82632 [MFT STD_INFO] Python26\Lib\lib2to3\tests (Offset: 0x1eb87000)
0 .a.. --------------- 0 0 82643 [MFT STD_INFO] Python26\Lib\lib2to3\tests\data (Offset: 0x1ea89c00)
0 .a.. --------------- 0 0 82650 [MFT STD_INFO] Python26\Lib\lib2to3\tests\data\fixers (Offset: 0x11e4b800)
Thu Jun 02 2011 21:30:14 0 .a.. r-------------- 0 0 6279 [MFT STD_INFO] DOCUME~1\ALLUSE~1\DOCUME~1\MYPICT~1\SAMPLE~1 (Offset: 0x236bc00)
Thu Jun 02 2011 21:31:35 0 .a.. r--a----------- 0 0 10932 [MFT STD_INFO] PROGRA~1\VMware\VMWARE~1\SUSPEN~1.BAT (Offset: 0x3fd6000)
389120 .ac. ---a----------- 0 0 2121 [MFT STD_INFO] WINDOWS\system32\cmd.exe (Offset: 0x3f44400)
0 .a.. ---a----------- 0 0 94638 [MFT STD_INFO] Documents and Settings\Administrator\Desktop\IDAPRO~1.LNK (Offset: 0x3fe9800)
Thu Jun 02 2011 21:31:36 0 m.c. -h-a----------- 0 0 3646 [MFT STD_INFO] WINDOWS\system32\config\software.LOG (Offset: 0x40c1800)
Presenter Notes
Focus Points
Prefetch: execution results
- Some windows OS disable prefetch by default
- SSD disables prefetch
Shimcache registry keys
- When programs were executed
Network Activity
- Socket creation
Presenter Notes
More Focus Points
Job files
- Jobs with "at" command
Registry Keys
- Modified time, creation time...
- Service creation
- Persistence Mechanisms
Disk Artifacts
Shellbags
- User window viewing
- MRU Lists
- Network shares
Presenter Notes
Gh0st in the Enterprise
Walk-through from the text.
Starts @ Page 543
Presenter Notes
Gh0st in the Enterprise
Forensics challenge hosted by Jack Crook for 2012 DFIR Challenge
An organization is the victim of a targeted attack and attackers moved between machines.
An IDS alert flagged traffic from ENG-USTXHOU-148 to an IP 58.64.132.141
Machines:
- ENG-USTXHOU-148: 172.16.150.20 / WinXPSP3x86
- FLD-SARIYADH-43: 172.16.223.187 / WinXPSP3x86
- IIS-SARIYADH-03: 172.16.223.47 / Win2003SP0x86
Presenter Notes
Timeliner
Combine timeliner from multiple machines!
--machine adds a name to the timeline header
[root&jackcr-challenge]#volatility -f IIS-SARIYADH-03/memdump.bin --profile=Win2003SP0x86 mftparser --output=body -D IIS_FILES/ --machine=IIS --output-file=challenge/IIS_mft.body
[root&jackcr-challenge]#volatility -f IIS-SARIYADH-03/memdump.bin --profile=Win2003SP0x86 timeliner --output=body --machine=IIS --output-file=challenge/IIS_timeliner.body
[root&jackcr-challenge]#volatility -f IIS-SARIYADH-03/memdump.bin --profile=Win2003SP0x86 shellbags --output=body --machine=IIS --output-file=challenge/IIS_shellbags.body
Do the same for all three machines. . .
Presenter Notes
Log2timeline
Extract data from
- event logs
- registry files
- prefetch files
- recycle bin
- packet captures (pcaps)
Can be run against a disk images or files that have been dumped from the image
Presenter Notes
Packet Capture Data
log2timeline can create a timeline from data in a pcap
[root&jackcr-challenge]#log2timeline -f pcap -z UTC jackcr-challenge.pcap -w IIS_pcap.body
Combine all logs into one file!
[root&challenge]#cat IIS_* >> IIS_logs.body
Presenter Notes
Vector of Compromise
ENG-USTXHOU-148 was in IDS alert from IP 58.64.132.141
PID 1024 has two connections to 58.64.132.141
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin imageinfo
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.4
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x01f60850 0.0.0.0:0 1.0.0.0:0 36569092
0x01ffa850 172.16.150.20:1291 58.64.132.141:80 1024
0x0201f850 172.16.150.20:1292 172.16.150.10:445 4
0x02084e68 172.16.150.20:1281 172.16.150.10:389 628
0x020f8988 172.16.150.20:2862 172.16.150.10:135 696
0x02201008 172.16.150.20:1280 172.16.150.10:389 628
0x18615850 172.16.150.20:1292 172.16.150.10:445 4
0x189e8850 172.16.150.20:1291 58.64.132.141:80 1024
0x18a97008 172.16.150.20:1280 172.16.150.10:389 628
0x18b8e850 0.0.0.0:0 1.0.0.0:0 36569092
0x18dce988 172.16.150.20:2862 172.16.150.10:135 696
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 pslist -p 1024
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x820b3da0 svchost.exe 1024 680 76 1645 0 0 2012-11-26 22:03:32 UTC+0000
Presenter Notes
Executed Programs
Using the ENG_logs.body file we generated let's look at prefetch files
[root&challenge]#grep -i pf ENG_logs.body | grep -i exe | cut -d\| -f2
[ENG MFT FILE_NAME] WINDOWS\Prefetch\NETEXE~1.PF (Offset: 0x12d588)
[ENG MFT STD_INFO] WINDOWS\Prefetch\NETEXE~1.PF (Offset: 0x12d588)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\NET.EXE-01A53C2F.pf (Offset: 0x12d588)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\SLEXE-~1.PF (Offset: 0x311400)
[ENG MFT STD_INFO] WINDOWS\Prefetch\SLEXE-~1.PF (Offset: 0x311400)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\SL.EXE-010E2A23.pf (Offset: 0x311400)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\GSEXE-~1.PF (Offset: 0x311800)
[ENG MFT STD_INFO] WINDOWS\Prefetch\GSEXE-~1.PF (Offset: 0x311800)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\GS.EXE-3796DDD9.pf (Offset: 0x311800)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\PING.EXE-31216D26.pf (Offset: 0x311c00)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\MDDEXE~1.PF (Offset: 0x230ed10)
[ENG MFT STD_INFO] WINDOWS\Prefetch\MDDEXE~1.PF (Offset: 0x230ed10)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\MDD.EXE-07B34726.pf (Offset: 0x230ed10)
[ENG MFT FILE_NAME] WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf (Offset: 0x3234c00)
[snip]
[ENG MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-3793B625.pf (Offset: 0x17779800)
Some look suspicious.... SL.EXE, GS.EXE, PS.EXE and SYMANTEC-1.43-1[2].EXE.
There is also AT.exe (scheduling) and PING and NET....
Presenter Notes
Chronological Order
Note: grep thought I had a binary file...
[root&challenge]#mactime -b ENG_logs.body -d -z UTC > ENG_logsOrdered.body
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i symantec
26 2012 23:01:53,macb,[ENG IEHISTORY] explorer.exe->Visited: callb@http://58.64.132.8/download/Symantec-1.43-1.exe PID: 284/Cache type "URL " at 0x2895000
Mon Nov 26 2012 23:01:54,0,macb,---a-------I---,0,0,11722,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-3793B625.pf (Offset
Download of Symantec-1.43-1.exe at 23:01:53 and execution of it at 23:01:54....
[root&challenge]#whois 58.64.132.8
[snip]
address: Hong Kong
[snip]
Presenter Notes
E-mail artifacts
Running strings on the memdump shows an e-mail with the link to the Symantec executable
[root&jackcr-challenge]#strings -td -a ENG-USTXHOU-148/memdump.bin > ENG_strings.txt
[root&jackcr-challenge]#cat ENG_strings.txt | grep -i received:
34435239 Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
[root&jackcr-challenge]#cat ENG_strings.txt | grep 34435239 -B 1 -A 100
34435204 Mon, 26 Nov 2012 14:00:08 -0600
34435239 Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
34435306 by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
34435388 Mon, 26 Nov 2012 15:00:07 -0500
34435422 Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
34435477 From: "Security Department" <[email protected]>
34435531 To: <[email protected]>, <[email protected]>,
34435588 <[email protected]>
34435624 Subject: Immediate Action
34435651 Date: Mon, 26 Nov 2012 14:59:38 -0500
34435690 MIME-Version: 1.0
34435709 Content-Type: multipart/alternative;
34435747 boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
34435802 X-Priority: 3
34435817 X-MSMail-Priority: Normal
34435844 X-Mailer: Microsoft Outlook Express 6.00.2900.5512
34435896 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
34435954 Return-Path: [email protected]
34435991 X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
34436078 This is a multi-part message in MIME format.
34436126 ------=_NextPart_000_0015_01CDCBE6.A7B92DE0
34436171 Content-Type: text/plain;
34436198 charset="iso-8859-1"
34436221 Content-Transfer-Encoding: quoted-printable
34436268 Attn: Immediate Action is Required!!
34436308 The IS department is requiring that all associates update to the new =
34436380 version of anti-virus. This is critical and must be done ASAP! Failure =
34436456 to update anti-virus may result in negative actions.
34436512 Please download the new anti-virus and follow the instructions. Failure =
34436588 to install this anti-virus may result in loosing your job!
34436650 Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
34436720 Regards,
34436730 The IS Department
Presenter Notes
Lolz
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus. This is critical and must be done ASAP! Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions. Failure =
to install this anti-virus may result in loosing your job!
Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
Regards,
The IS Department
Presenter Notes
Anything else near file download?
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i 23:01:54
Mon Nov 26 2012 23:01:54,0,macb,---a-------I---,0,0,11722,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-3793B625.pf (Offset: 0x17779800)"
Mon Nov 26 2012 23:01:54,100895,.ac.,---a-----------,0,0,8610,"[ENG MFT FILE_NAME] WINDOWS\system32\6to4ex.dll (Offset: 0x324c800)"
Mon Nov 26 2012 23:01:54,100895,.ac.,-h-------------,0,0,8610,"[ENG MFT STD_INFO] WINDOWS\system32\6to4ex.dll (Offset: 0x324c800)"
6to4ex.dll seems odd...
Presenter Notes
Registry Artifacts
Extract registry hives with dumpfiles and use timeline.py from python-registry
#!/bin/bash
volatility=/opt/volatility-2.4/volatility-2.4/vol.py
timeline=/opt/python-registry/sample/timeline.py
file=jackcr-challenge/ENG-USTXHOU-148/memdump.bin
loc=challenge/REG/ENG-USTXHOU-148/
short='echo ENG-USTXHOU-148 |cut -d\- -f1'
mkdir -p $loc
for i in config.system config.security config.sam \
config.default config.software ntuser.dat usrclass.dat
do
$volatility -f $file --profile WinXPSP2x86 dumpfiles -i -r $i\$ -D $loc
done
find $loc -type f -exec python $timeline \
--body '{}' >> $loc \;
cat $loc.temp |sed "s/\[Registry None/\[$short Registry/" \
>> $loc.registry.body
rm $loc.temp
Presenter Notes
6to4ex.dll
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i 23:01:54
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Enum\Root\LEGACY_6TO4
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Enum\Root\LEGACY_6TO4\0000
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Services\6to4\Parameters
Mon Nov 26 2012 23:01:54,.a..,[ENG Registry]
$$$PROTO.HIV\ControlSet001\Services\6to4\Security
Presenter Notes
More enumeration
DLL runs inside svchost.exe
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 printkey -K "ControlSet001\Services\6to4"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: 6to4 (S)
Last updated: 2012-11-26 23:01:55 UTC+0000
Subkeys:
(S) Parameters
(S) Security
(V) Enum
Values:
REG_DWORD Type : (S) 288
REG_DWORD Start : (S) 2
REG_DWORD ErrorControl : (S) 1
REG_EXPAND_SZ ImagePath : (S) %SystemRoot%\System32\svchost.exe -k netsvcs
REG_SZ DisplayName : (S) Microsoft Device Manager
REG_SZ ObjectName : (S) LocalSystem
REG_SZ Description : (S) Service Description
Presenter Notes
Parameters?
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP2x86 printkey -K "ControlSet001\Services\6to4\Parameters"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: Parameters (S)
Last updated: 2012-11-26 23:01:54 UTC+0000
Subkeys:
Values:
REG_EXPAND_SZ ServiceDll : (S) C:\WINDOWS\system32\6to4ex.dll
Presenter Notes
Other events around 23:01:54?
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep 23:01:54
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 276
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 508
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 528
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 536
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 652
Mon Nov 26 2012 23:01:54,.acb,[ENG THREAD] svchost.exe PID: 1024/TID: 936
Presenter Notes
DLL Loaded?
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 dlllist -p 1024
Volatility Foundation Volatility Framework 2.4
************************************************************************
svchost.exe pid: 1024
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Pack 3
Base Size LoadCount Path
---------- ---------- ---------- ----
0x01000000 0x6000 0xffff C:\WINDOWS\System32\svchost.exe
0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
[snip]
0x10000000 0x1c000 0x1 c:\windows\system32\6to4ex.dll
Presenter Notes
Service load order?
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 svcscan
Offset: 0x389d60
Order: 228
Start: SERVICE_AUTO_START
Process ID: 1024
Service Name: 6to4
Display Name: Microsoft Device Manager
Service Type: SERVICE_WIN32_SHARE_PROCESS
Service State: SERVICE_RUNNING
Binary Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Presenter Notes
Finding an Active Attacker
ipconfig.exe was used...
Mon Nov 26 2012 23:03:21,55808,.a..,---a-----------,0,0,24145,"[ENG MFT STD_INFO] WINDOWS\system32\ipconfig.exe (Offset: 0xc826400)"
WINDOWS/webui appears
Mon Nov 26 2012 23:03:10,macb,[ENG MFT FILE_NAME] WINDOWS\webui (Offset: 0x1bc21000)
net.exe was used
Mon Nov 26 2012 23:07:53,macb,[ENG MFT FILE_NAME] WINDOWS\Prefetch \NET.EXE-01A53C2F.pf (Offset: 0x12d588)
Presenter Notes
Webui?
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i webui
Mon Nov 26 2012 23:03:10,0,macb,-------------D-,0,0,7556,"[ENG MFT FILE_NAME] WINDOWS\webui (Offset: 0x1bc21000)"
Mon Nov 26 2012 23:03:10,0,...b,---------------,0,0,7556,"[ENG MFT STD_INFO] WINDOWS\webui (Offset: 0x1bc21000)"
Mon Nov 26 2012 23:06:47,0,macb,---a-----------,0,0,11719,"[ENG MFT FILE_NAME] WINDOWS\webui\gs.exe (Offset: 0x16267c00)"
Mon Nov 26 2012 23:06:47,0,...b,---a-----------,0,0,11719,"[ENG MFT STD_INFO] WINDOWS\webui\gs.exe (Offset: 0x16267c00)"
Mon Nov 26 2012 23:06:48,0,mac.,---a-----------,0,0,11719,"[ENG MFT STD_INFO] WINDOWS\webui\gs.exe (Offset: 0x16267c00)"
Mon Nov 26 2012 23:06:52,0,macb,---a-----------,0,0,11723,"[ENG MFT FILE_NAME] WINDOWS\webui\ra.exe (Offset: 0x17779c00)"
Mon Nov 26 2012 23:06:52,0,macb,---a-----------,0,0,11723,"[ENG MFT STD_INFO] WINDOWS\webui\ra.exe (Offset: 0x17779c00)"
Mon Nov 26 2012 23:06:56,0,macb,---a-----------,0,0,11724,"[ENG MFT FILE_NAME] WINDOWS\webui\sl.exe (Offset: 0x1f5ff000)"
Mon Nov 26 2012 23:06:56,0,macb,---a-----------,0,0,11724,"[ENG MFT STD_INFO] WINDOWS\webui\sl.exe (Offset: 0x1f5ff000)"
Mon Nov 26 2012 23:06:59,0,macb,---a-----------,0,0,11725,"[ENG MFT FILE_NAME] WINDOWS\webui\wc.exe (Offset: 0x1f5ff400)"
Mon Nov 26 2012 23:06:59,0,m.cb,---a-----------,0,0,11725,"[ENG MFT STD_INFO] WINDOWS\webui\wc.exe (Offset: 0x1f5ff400)"
Mon Nov 26 2012 23:07:31,0,macb,---a-----------,0,0,11726,"[ENG MFT FILE_NAME] WINDOWS\webui\netuse.dll (Offset: 0xde4e48)"
Mon Nov 26 2012 23:07:31,0,macb,---a-----------,0,0,11726,"[ENG MFT STD_INFO] WINDOWS\webui\netuse.dll (Offset: 0xde4e48)"
Tue Nov 27 2012 00:44:16,0,m...,---a-----------,0,0,11734,"[ENG MFT STD_INFO] WINDOWS\webui\system.dll (Offset: 0x924e800)"
Tue Nov 27 2012 00:49:01,0,macb,---a-----------,0,0,11734,"[ENG MFT FILE_NAME] WINDOWS\webui\system.dll (Offset: 0x924e800)"
Tue Nov 27 2012 00:49:01,0,.acb,---a-----------,0,0,11734,"[ENG MFT STD_INFO] WINDOWS\webui\system.dll (Offset: 0x924e800)"
Tue Nov 27 2012 00:56:43,0,m...,---a-----------,0,0,11735,"[ENG MFT STD_INFO] WINDOWS\webui\svchost.dll (Offset: 0x924ec00)"
Tue Nov 27 2012 00:57:20,0,macb,---a-----------,0,0,11735,"[ENG MFT FILE_NAME] WINDOWS\webui\svchost.dll (Offset: 0x924ec00)"
Tue Nov 27 2012 00:57:20,0,.acb,---a-----------,0,0,11735,"[ENG MFT STD_INFO] WINDOWS\webui\svchost.dll (Offset: 0x924ec00)"
Tue Nov 27 2012 01:01:39,0,macb,---a-----------,0,0,11736,"[ENG MFT FILE_NAME] WINDOWS\webui\https.dll (Offset: 0x109cf7a8)"
Tue Nov 27 2012 01:01:39,0,macb,---a-----------,0,0,11736,"[ENG MFT STD_INFO] WINDOWS\webui\https.dll (Offset: 0x109cf7a8)"
Tue Nov 27 2012 01:11:40,0,m...,---a-----------,0,0,11737,"[ENG MFT STD_INFO] WINDOWS\webui\netstat.dll (Offset: 0x10b97400)"
Tue Nov 27 2012 01:14:48,0,macb,---a-----------,0,0,11737,"[ENG MFT FILE_NAME] WINDOWS\webui\netstat.dll (Offset: 0x10b97400)"
Tue Nov 27 2012 01:14:48,0,.acb,---a-----------,0,0,11737,"[ENG MFT STD_INFO] WINDOWS\webui\netstat.dll (Offset: 0x10b97400)"
Tue Nov 27 2012 01:26:47,0,macb,---a-----------,0,0,11738,"[ENG MFT FILE_NAME] WINDOWS\webui\system5.bat (Offset: 0x10b97800)"
Tue Nov 27 2012 01:26:47,0,macb,---a-----------,0,0,11738,"[ENG MFT STD_INFO] WINDOWS\webui\system5.bat (Offset: 0x10b97800)"
Tue Nov 27 2012 01:26:47,0,mac.,---------------,0,0,7556,"[ENG MFT STD_INFO] WINDOWS\webui (Offset: 0x1bc21000)"
Tue Nov 27 2012 01:27:03,0,.a..,---a-----------,0,0,11725,"[ENG MFT STD_INFO] WINDOWS\webui\wc.exe (Offset: 0x1f5ff400)"
Presenter Notes
Mon Nov 26 2012 23:06:47->23:06:59
GS, RA, SL and WC.exe ran in close proximity to our compromise time of 23:01:53
[root&challenge]#cat ENG_logsOrdered.body | tr -d '\000' | egrep -i '(GS|RA|SL)+.EXE-+'
Sat Nov 24 2012 18:06:27,0,macb,---a-------I---,0,0,11583,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\MSMSGS.EXE-2B6052DE.pf (Offset: 0xff0cc00)"
Mon Nov 26 2012 23:10:35,0,macb,---a-------I---,0,0,11729,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\SL.EXE-010E2A23.pf (Offset: 0x311400)"
Mon Nov 26 2012 23:11:58,0,macb,---a-------I---,0,0,11730,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\GS.EXE-3796DDD9.pf (Offset: 0x311800)"
Other?
Mon Nov 26 2012 23:11:58,.a..,[ENG Registry] SECURITY\Policy\Secrets
Presenter Notes
GS.exe
SECURITY\Policy\Secrets contains Local Security Authority (LSA) secrets
cachedump
Dumps cached domain hashes from memory
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 cachedump
Volatility Foundation Volatility Framework 2.4
administrator:00c2bcc2230054581d3551a9fdcf4893:petro-market:petro-market.org
callb:178526e1cb2fdfc36d764595f1ddd0f7:petro-market:petro-market.org
Presenter Notes
Did GS.exe get LSA?
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 filescan | grep -i gs.exe
Volatility Foundation Volatility Framework 2.4
0x00000000020bb938 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\webui\gs.exe
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 dumpfiles -Q 0x020bb938 -D ENG_OUT/
Volatility Foundation Volatility Framework 2.4
ImageSectionObject 0x020bb938 None \Device\HarddiskVolume1\WINDOWS\webui\gs.exe
DataSectionObject 0x020bb938 None \Device\HarddiskVolume1\WINDOWS\webui\gs.exe
[root&jackcr-challenge]#strings -a -el ENG_OUT/file.None.0x822cf6e8.img > gsStrings
[root&jackcr-challenge]#strings -a ENG_OUT/file.None.0x822cf6e8.img >> gsStrings
[root&jackcr-challenge]#cat gs.strings
SECURITY\Policy\Secrets
rerror [
error:
info: you must run as LocalSystem to dump LSA secrets
kerberos tickets dump is not yet available
crap :)
ntdll.dll
crap#! :)
ycrap! :(
crap! :)
ycrap!? :)
[snip]
unable to start gsecdump as service
system
help
dump_all,a
dump all secrets
dump_hashes,s
dump hashes from SAM/AD
dump_lsa,l
dump lsa secrets
dump_usedhashes,u
dump hashes from active logon sessions
dump_wireless,w
dump microsoft wireless connections
help,h
show help
system,S
run as localsystem
gsecdump v0.7 by Johannes Gumbel ([email protected])
usage: gsecdump [options]
Presenter Notes
gs.exe is gsecdump (from book)
Remote File Shares
Networking executables are good indicator
Look for symlinks with symlinkscan!
- [a-zA-Z]: are drives
Presenter Notes
Remote File Shares
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 symlinkscan | grep -i [a-zA-Z]:
Volatility Foundation Volatility Framework 2.4
0x0000000002707bd8 1 0 2012-11-26 22:03:21 UTC+0000 C: \Device\HarddiskVolume1
0x00000000056eb400 1 0 2012-11-26 22:03:27 UTC+0000 A: \Device\Floppy0
0x000000000578d4a8 1 0 2012-11-26 22:03:27 UTC+0000 D: \Device\CdRom0
0x0000000005aaf1b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000000ab96398 1 0 2012-11-27 01:56:50 UTC+0000 R: \Device\LanmanRedirector\;R:0...00c21e\172.16.150.10\ITShare
0x000000000b0a3608 1 0 2012-11-27 00:48:19 UTC+0000 Z: \Device\LanmanRedirector\;Z:00000000000003e7\172.16.223.47\z
0x00000000194ffbd8 1 0 2012-11-26 22:03:21 UTC+0000 C: \Device\HarddiskVolume1
0x00000000196f0bd8 1 0 2012-11-26 22:03:21 UTC+0000 C: \Device\HarddiskVolume1
0x000000001c8931b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001ce5c1b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001d2cf1b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001d4e21b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001d7d51b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001db881b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001ddbb1b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001e2501b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
0x000000001e6ad1b8 2 1 2012-11-26 22:03:28 UTC+0000 KnownDllPath C:\WINDOWS\system32
Presenter Notes
Network Share In Timeline
Tue Nov 27 2012 00:48:19,.a..,[ENG Registry] $$$PROTO.HIV\Network
Tue Nov 27 2012 00:48:19,macb,[ENG SYMLINK] Z:->\Device\LanmanRedirector\;Z:00000000000003e7\172.16.223.47\z POffset: 185218568/tr: 1/Hnd: 0
Tue Nov 27 2012 00:49:28,.a..,[ENG Registry] $$$PROTO.HIV\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2##172.16.223.47#z
Network drives are in Network\
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 printkey -K "network\z"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: z (S)
Last updated: 2012-11-27 00:48:20 UTC+0000
Subkeys:
Values:
REG_SZ RemotePath : (S) \\172.16.223.47\z
REG_SZ UserName : (S) PETRO-MARKET\ENG-USTXHOU-148$
REG_SZ ProviderName : (S) Microsoft Windows Network
REG_DWORD ProviderType : (S) 131072 #LanMan
REG_DWORD ConnectionType : (S) 1 #drive redirection
REG_DWORD DeferFlags : (S) 4 #DeferFlags (creds saved)
Presenter Notes
Scheduled Jobs
Tue Nov 27 2012 01:26:47,macb,[ENG MFT FILE_NAME] WINDOWS\webui\system5.bat (Offset: 0x10b97800)
System5.bat is resident in the MFT
[root&jackcr-challenge]#cat ENG_FILES/*0x10b97800* -n
1 @echo off
2 copy c:\windows\webui\wc.exe c:\windows\system32
3 at 19:30 wc.exe -e -o h.out
At.exe schedules jobs
Tue Nov 27 2012 01:27:03,macb,[ENG MFT FILE_NAME] WINDOWS\Tasks\At1.job (Offset: 0x12ab2000)
Tue Nov 27 2012 01:27:03,macb,[ENG MFT FILE_NAME] WINDOWS\Prefetch\AT.EXE-2770DD18.pf (Offset: 0x12ab2400)
Presenter Notes
More Scheduled Jobs
Microsoft\SchedulingAgent gets updated with jobs
[root&jackcr-challenge]#volatility -f ENG-USTXHOU-148/memdump.bin --profile=WinXPSP3x86 printkey -K "Microsoft\SchedulingAgent"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Key name: SchedulingAgent (S)
Last updated: 2012-11-27 01:30:00 UTC+0000
Subkeys:
Values:
REG_EXPAND_SZ TasksFolder : (S) %SystemRoot%\Tasks
REG_EXPAND_SZ LogPath : (S) %SystemRoot%\SchedLgU.Txt
REG_DWORD MinutesBeforeIdle : (S) 15
REG_DWORD MaxLogSizeKB : (S) 32
REG_SZ OldName : (S) ENG-USTXHOU-148
REG_DWORD DataVersion : (S) 3
REG_DWORD PriorDataVersion : (S) 0
REG_BINARY LastTaskRun : (S)
0x00000000 dc 07 0b 00 01 00 1a 00 13 00 1e 00 01 00 00 00 ................
Presenter Notes
LastTaskRun is updated when a task runs!
Wc.exe?
[root&jackcr-challenge]#cat ENG_logsOrdered.body | tr -d '\000' | grep -i h.out
Tue Nov 27 2012 01:30:00,560,macb,,0,0,11742,[ENG MFT FILE_NAME] WINDOWS\system32\h.out (Offset: 0x12ab2800)
[root&jackcr-challenge]#cat ENG_FILES/*0x12ab2800*
callb:PETRO-MARKET:115B24322C11908C85140F5D33B6232F:40D1D232D5F731EA966
913EA458A16E7
ENG-USTXHOU-148$:PETRO-MARKET:00000000000000000000000000000000:D6717F1E
5252FA87ED40AF8C46D8B1E2
sysbackup:current:C2A3915DF2EC79EE73108EB48073ACB7:E7A6F270F1BA562A90E2
C133A95D2057
Presenter Notes
Other machines also infected?
Look for SYMANTEC-1.43-1[2].EXE on all machines!
- initial infection vector
[root&jackcr-challenge]#grep -Hi symantec IIS_all FLD_all | cut -d\| -f1,2
FLD_all:0|[MFT FILE_NAME] WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-330FB7E3.pf
(Offset: 0x1d75cc00)
Looking into FLD-SARIYADH-43, 6to4 was also created and some artifacts are similar.
- Some do differ, though
Presenter Notes
More Batch on FLD
Tue Nov 27 2012 00:31:39,macb,[FLD MFT FILE_NAME] WINDOWS\system1.bat
(Offset: 0x1787f000)
Tue Nov 27 2012 00:33:32,macb,[FLD MFT FILE_NAME]
WINDOWS\Prefetch\PS.EXE-09745CC1.pf (Offset: 0x1787f400)
Tue Nov 27 2012 00:43:45,macb,[FLD MFT FILE_NAME] WINDOWS\system6.bat
(Offset: 0x1787f800)
Tue Nov 27 2012 00:43:45,macb,[FLD MFT STD_INFO] WINDOWS\system6.bat
(Offset: 0x1787f800)
Tue Nov 27 2012 00:53:29,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system2.bat
(Offset: 0x1787fc00)
Tue Nov 27 2012 00:59:00,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system3.bat
(Offset: 0x1b773000)
Tue Nov 27 2012 01:04:59,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system4.bat
(Offset: 0x1b773400)
Tue Nov 27 2012 01:19:41,macb,[FLD MFT FILE_NAME] WINDOWS\webui\system5.bat
(Offset: 0x1b773800)
[root&jackcr-challenge]#cat *0x1787f000*
@echo off
mkdir c:\windows\webui
net share z=c:\windows\webui /GRANT:sysbackup,FULL
[root&jackcr-challenge]#cat *0x1787f800*
@echo off
ipconfig /all >> c:\windows\webui\system.dll
net share >> c:\windows\webui\system.dll
net start >> c:\windows\webui\system.dll
net view >> c:\windows\webui\system.dll
[snip]
Presenter Notes
Data Exfil?
[root&jackcr-challenge]#cat *0x1b773400*
@echo off
c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r
c:\windows\webui\netstat.dll "C:\Engineering\Designs\Pumps" -x*.dll
Presenter Notes
Theories
Lots of indicators of compromise
New services, malicious executable ran, files zipped...
Did anything get exfiltrated?
What about network traffic?
Presenter Notes
Pcap
Recall 58.64.132.141 was the IDS alert
[root&jackcr-challenge]#cat networking.body | tr -d '\000' | grep 58.64.132.141
Mon Nov 26 2012 23:01:58,0,macb,0,0,0,108494,[PCAP file] (Time Written) <172.16.150.20> TCP SYN packet 172.16.150.20:1097 -> 58.64.132.141:80
seq [2669490555] (file: jackcr-challenge.pcap)
Mon Nov 26 2012 23:01:58,0,macb,0,0,0,108494,[PCAP file] (Time Written) <172.16.150.20> TCP packet flags [0x10: ACK ] 172.16.150.20:1097 -> 58.64.132.141:80 seq [2669490556] (file: jackcr-challenge.pcap)
Mon Nov 26 2012 23:01:58,0,macb,0,0,0,108494,[PCAP file] (Time Written) <172.16.150.20> TCP packet flags [0x10: ACK ] 172.16.150.20:1097-> 58.64.132.141:80 seq [2669490715] (file: jackcr-challenge.pcap)
Presenter Notes
Traffic is encoded
Gh0st RAT can be decoded with ChopShop a Protocol Analysis/Decoder Framework.
Requires some dependencies...
[root&pynids]#git clone https://github.com/MITRECND/pynids && cd pynids
[root&pynids]#chmod +x setup.py
[root&pynids]#./setup.py build && ./setup.py install
Then Run it!
[root&jackcr-challenge]#/opt/chopshop/chopshop -f jackcr-challenge.pcap gh0st_decode -F decrypted.txt
[root&jackcr-challenge]#cat decrypted.txt
TOKEN: LOGIN: eng-ustxhou-148: Windows XP Service Pack 3 - Build: 2600 - Clock: 3056 Mhz - IP: 172.16.150.20 Webcam: no
COMMAND: ACTIVED
COMMAND: SHELL
TOShutting Down Modules ...
Shutting Down gh0st_decode
Module Shutdown Complete ...
ChopShop Complete
Presenter Notes
Traffic is now decrypted
Look at all the things...
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.150.20
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.150.2
C:\WINDOWS\webui>
net view >> netuse.dll
net view >> netuse.dll
wc.exe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa ([email protected])
Use -h for help.
Changing NTLM credentials of current logon session (000003E7h) to:
Username: sysbackup
domain: current
LMHash: c2a3915df2ec79ee73108eb48073acb7
NTHash: e7a6f270f1ba562a90e2c133a95d2057
NTLM credentials successfully changed!
C:\WINDOWS\webui>
net use z: \\172.16.223.47\z
Presenter Notes
Uploading files
[snip]
COMMAND: FILE SIZE (C:\WINDOWS\ps.exe: 381816)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
[snip]
COMMAND: FILE SIZE (C:\WINDOWS\webui\gs.exe: 303104)
TOKEN: DATA CONTINUE
COMMAND: FILE DATA (8183)
TOKEN: DATA CONTINUE
Presenter Notes
Book Section
The book used a modified gh0st_decode module that put pcap information into a timeline...
$ chopshop -f jackcr-challenge.pcap gh0st_decode_body -F decrypted.body
Mon Nov 26 2012 23:07:31,macb,[Gh0st Decode]
172.16.150.20:1098->58.64.132.141:80 SHELL: ipconfig /all >> netuse.dll
Mon Nov 26 2012 23:07:31,.a..,[ENG MFT STD_INFO] WINDOWS\system32\iertutil.dll
(Offset: 0x5ba2800)
Mon Nov 26 2012 23:07:31,.a..,[ENG MFT STD_INFO] WINDOWS\system32\urlmon.dll
(Offset: 0x328a800)
Presenter Notes
Winrar
Winrar into netstat.dll!
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 COMMAND: DOWN FILES
(C:\WINDOWS\webui\netstat.dll)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: FILE DATA (2713)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: FILE DATA (8183)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: FILE SIZE
(C:\WINDOWS\webui\netstat.dll: 109092)
Tue Nov 27 2012 01:15:44,macb,[Gh0st Decode]
172.16.150.20:1238->58.64.132.141:80 TOKEN: TRANSFER FINISH
Presenter Notes
Timeline / tl;dr for
Mon, 26 Nov 2012 14:00:08 -0600 = E-mail sent
Mon Nov 26 2012 23:01:53 : Download of Symantec-1.43-1.exe from phishing
Mon Nov 26 2012 23:01:54: Symantec-1.43-1.exe runs
Mon Nov 26 2012 23:01:54: Registry updated and 6to4 added as service, threads started on svchost.exe
Mon Nov 26 2012 23:11:58: gs.exe accessed LSA secrets
Tue Nov 27 2012 00:31:39: batch files begin to get created on FLD-SARIYADH-43
Tue Nov 27 2012 00:43:45: Batch files start to run until Tue Nov 27 2012 01:19:41
Tue Nov 27 2012 01:15:44: Data extracted
Tue Nov 27 2012 01:27:03: Z:->\Device\LanmanRedirector\;Z:00000000000003e7\172.16.223.47\z mapped
Tue Nov 27 2012 01:27:03: At1.job scheduled for 19:30 with wc.exe
Presenter Notes
More To gh0st
Presenter Notes
Tips
Analyze prefetch files because they often tell you when suspicious programs executed
Analyze the Shimcache registry keys
Look for the creation of unknown executable files and DLLs
Focus on network activity (newly opened ports and outgoing connections)
Look for creation of job files, which attackers often use to automate tasks
Once you have a point of reference, you can correlate events among other systems involved in the attack
