IR Event Log Analysis

Similar documents

Protection from Kerberos Golden Ticket

SB34: Event Logs Don t Lie: Step-by-Step Security. Rick Simonds, Sage Data Security

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

WINDOWS SPLUNK LOGGING CHEAT SHEET - Win 7 - Win2012

Using TS-ACCESS for Remote Desktop Access

Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store

Why You Need to Detect More Than PtH. Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7

User Guide - escan for Linux File Server

User Rights vjj 1

Downloading the UHVPN Client and setting up Cisco VPN on Windows 7

This guide provides all of the information necessary to connect to MoFo resources from outside of the office

Basic principles of infrastracture security Impersonation, delegation and code injection

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

User Guide. Version R91. English

FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI

A Guide to New Features in Propalms OneGate 4.0

Remote Access via Appgate for School Users

Facility Online Manager

White Paper. PCI Guidance: Microsoft Windows Logging

SIEMENS. Sven Lehmberg. ZT IK 3, Siemens CERT. Siemens AG 2000 Siemens CERT Team / 1

Internet Address: cloud.ndcl.org

Performing Advanced Incident Response Interactive Exercise

Egnyte Single Sign-On (SSO) Installation for OneLogin

Stalking Hackers with Core Splunk. Derek Arnold, CISSP Senior Splunk Consultant

Installing Microsoft Outlook on a Macintosh. This document explains how to download, install and configure Microsoft Outlook on a Macintosh.

RSA Security Anatomy of an Attack Lessons learned

Working in Park City Group s Extranet

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Active Directory Authentication Integration

Malwarebytes Enterprise Edition Best Practices Guide Version March 2014

TECHNICAL WHITE PAPER. Symantec pcanywhere Security Recommendations

User Behavior Analytics: A New Approach to Detection and Response

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

White Paper. Support for the HIPAA Security Rule PowerScribe 360

Recommended Solutions for Installing Symantec Endpoint Protection 12.1.x in Shared and PvD Virtual Machines

Accessing the SUNYIT wireless network for the first time

Remote Administration

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

finding malware on compromised Windows machines

Contents. VPN Instructions. VPN Instructions... 1

Date 09/05/ :13:32. CENTREL Solutions. Author. Version Product XIA Configuration Server [ ]

RSA Security Analytics

Additional Security Considerations and Controls for Virtual Private Networks

Modern Approach to Incident Response: Automated Response Architecture

IMS Health Secure Outlook Web Access Portal. Quick Setup

SECURING YOUR REMOTE DESKTOP CONNECTION

escan SBS 2008 Installation Guide

Webmail Access. Contents

Standard: Event Monitoring

NetSpective Logon Agent Guide for NetAuditor

SonicWALL SSL-VPN 2.5: NetExtender

NETWRIX ACCOUNT LOCKOUT EXAMINER

NT Authentication Configuration Guide

HIPAA Security Matrix

Indumathi B & Ingo Engels 18 November 2015

Migrating Your Windows File Server to a CTERA Cloud Gateway. Cloud Attached Storage. February 2015 Version 4.1

Remote Web Access (vpn)

Quick Start Guide HOSTED VERSION

Finding Advanced AFacks and Malware With Only 6 Windows EventID s

YSU Secure Wireless Connect Guide Windows XP Home/Professional/Media Center/Tablet PC Edition

APPLICATION PROGRAMMING INTERFACE

Introduction to Endpoint Security

Requesting and Using an Admin Apps Virtual Desktop for Advantage

PROCESSES LOADER 9.0 SETTING. Requirements and Assumptions: I. Requirements for the batch process:

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

How to Launch WebXtender for BDM. Banner Document Management (BDM)

How To Use The Tzworks Eventlog Parser (Evtwalk) On A Pc Or Mac Or Mac (Windows) With A Microsoft Powerbook Or Ipad (Windows Xp) With An Ipad Or Ipa (Windows 2

Comodo LoginPro Software Version 1.5

Configuring User Identification via Active Directory

Blackbaud FundWare Installation and Update Guide VERSION 7.60, JULY 2010

TZWorks Windows Event Log Viewer (evtx_view) Users Guide

USM IT Security Council Guide for Security Event Logging. Version 1.1

CONNECT-TO-CHOP USER GUIDE

SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

Guide: Using Citrix for Home/ Office

Enterprise Remote Control 5.6 Manual

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

ILTA HANDS ON Securing Windows 7

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

RemoteLab 2.0 Admin Guide

qliqdirect Active Directory Guide

InSciTek Microsystems 635 Cross Keys Park Fairport, NY Setting up Your Phones

How to Provide Cloud Storage for AD Users

Data Fusion Enhancing NetFlow Graph Analytics

ITSC ServiceDesk User Guide. For. End-User Inquiry Submission

523 Non-ThinManager Components

User Manual. LS-XHL and LS-CHL LinkStation Pro and Live Models ver.01 v2.2

Terminal Services Tools and Settings - Terminal Services: %PRODUCT%

Transcription:

IR Event Log Analysis Hal Pomeranz / hal@sans.org / @hal_pomeranz Take FOR508: Advanced Digital Forensics & Incident Response sans.org/for508 1

2

Windows Event Logs C:\Windows\System32\winevt\Logs\*.evtx Variety of parsers available GUI, command-line, and scripty Analysis is something of a black art? IR Event Log Analysis 3

IR Event Log Analysis 4 Example: Lateral Movement 1. Malware Uploaded Via File Share 1. Event IDs 4624 / 4672 show a successful network logon as admin 2. Event ID 5140 shows share mount 2. Malware Executed via at job 3. Event IDs 106 / 200 / 201 /141 show sched tasks Compromised System Target System

IR Event Log Analysis 5 Log Timeline 12:00:00 4624 Network logon 12:00:00 4672 Admin rights 12:00:15 5140 Network share Microsoft-Windows-TaskScheduler%4Operational.evtx 12:02:23 106 Task scheduled 12:03:00 200 Task executed 12:03:12 201 Task completed 12:05:41 141 Task removed 12:07:01 4634 Logoff

IR Event Log Analysis 6 Timestamp = 2015-02-14 12:00:00 Event 4624 ID = 4624 Network Logon SubjectUserSid = S-1-0-0 SubjectUserName = - SubjectDomainName = - SubjectLogonId = 0x0000000000000000 TargetUserSid = S-1-5-21-2723264887-207281631-482592677-2984 12:00:00 4624 TargetUserName Network logon = imowned 12:00:00 4672 TargetDomainName Admin rights = MYDOM TargetLogonId = 0x000000021457dbab 12:00:15 5140 LogonType Network share = 3 Microsoft-Windows-TaskScheduler%4Operational.evtx LogonProcessName = Kerberos AuthenticationPackageName = Kerberos 12:02:23 106 WorkstationName Task scheduled = 12:03:00 200 LogonGuid Task executed = {726F6B9E-C1BE-4EC1-BB95-3B0B6238BE56} TransmittedServices = - 12:03:12 201 LmPackageName Task completed = - 12:05:41 141 KeyLength Task removed = 0 ProcessId = 0x0000000000000000 ProcessName = - 12:07:01 4634 IpAddress Logoff = 10.1.1.10 IpPort = 3005

IR Event Log Analysis 7 4672 Admin Rights 12:00:00 4624 Network logon 12:00:00 4672 Admin rights 12:00:15 Timestamp 5140 Network = 2015-02-14 share 12:00:00 Event ID = 4672 Microsoft-Windows-TaskScheduler%4Operational.evtx SubjectUserSid = S-1-5-21-2723264887-207281631-482592677-2984 12:02:23 SubjectUserName 106 Task scheduled = imowned 12:03:00 SubjectDomainName = MYDOM SubjectLogonId 200 Task executed = 0x000000021457dbab 12:03:12 PrivilegeList 201 Task = completed SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege 12:05:41 SeTakeOwnershipPrivilege SeDebugPrivilege 141 Task removed SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege 12:07:01 4634 Logoff

IR Event Log Analysis 8 5140 Network Share 12:00:00 4624 Network logon 12:00:00 4672 Admin rights Timestamp = 2015-02-14 12:00:15 12:00:15 5140 Event Network ID = 5140 share Microsoft-Windows-TaskScheduler%4Operational.evtx SubjectUserSid = S-1-5-21-2723264887-207281631-482592677-2984 SubjectUserName = imowned 12:02:23 106 SubjectDomainName Task scheduled = MYDOM 12:03:00 SubjectLogonId = 0x000000021457dbab 200 Task executed ObjectType = File 12:03:12 201 IpAddress Task completed = 10.1.1.10 12:05:41 IpPort = 3005 141 Task removed ShareName = //*/C$ ShareLocalPath = /??/C:/ 12:07:01 AccessMask = 0x00000001 4634 Logoff AccessList: {ReadData (or ListDirectory) }

IR Event Log Analysis 9 106 Task Scheduled 12:00:00 4624 Network logon 12:00:00 4672 Admin rights 12:00:15 5140 Network share Microsoft-Windows-TaskScheduler%4Operational.evtx 12:02:23 106 Task scheduled 12:03:00 200 Task executed 12:03:12 201 Task completed 12:05:41 141 Task removed 12:07:01 4634 Logoff Timestamp = 2015-02-14 12:02:23 Event ID = 106 TaskName = /At1 UserContext = MYDOM/imowned

IR Event Log Analysis 10 200 Task Executed 12:00:00 4624 Network logon 12:00:00 4672 Admin rights 12:00:15 5140 Network share Microsoft-Windows-TaskScheduler%4Operational.evtx 12:02:23 106 Task scheduled 12:03:00 200 Task executed 12:03:12 201 Task Timestamp completed = 2015-02-14 12:03:00 Event ID = 200 12:05:41 141 Task TaskName removed = /At1 ActionName = malicious.bat TaskInstanceId = {B042B2E4-D186-4970-AE6C-B5DE328BCF3A} 12:07:01 4634 Logoff

IR Event Log Analysis 11 Bonus! 12:00:00 4624 Network logon 12:00:00 4672 Admin rights 12:00:15 5140 Network share Microsoft-Windows-TaskScheduler%4Operational.evtx Timestamp = 2015-02-14 12:03:09 12:02:23 106 Task scheduled Event ID = 4688 12:03:00 200 Task executed SubjectUserSid = S-1-5-18 SubjectUserName = TARGET$ 12:03:12 201 Task completed SubjectDomainName = MYDOM SubjectLogonId = 0x00000000000003e7 12:05:41 141 Task removed NewProcessId = 0x0000000000002318 NewProcessName = C:/Windows/m.exe 12:07:01 4634 Logoff TokenElevationType = %%1936 ProcessId = 0x0000000000001c04

IR Event Log Analysis 12 201 Task Completed 12:00:00 4624 Network logon 12:00:00 4672 Admin rights 12:00:15 5140 Network share Microsoft-Windows-TaskScheduler%4Operational.evtx 12:02:23 106 Task scheduled 12:03:00 200 Task executed 12:03:12 201 Task Timestamp completed = 2015-02-14 12:03:12 12:05:41 Event ID = 201 141 Task removed TaskName = /At1 TaskInstanceId = {B042B2E4-D186-4970-AE6C-B5DE328BCF3A} 12:07:01 ActionName = C:/Windows/SYSTEM32/cmd.exe 4634 Logoff ResultCode = 0

IR Event Log Analysis 13 141 Task Removed 12:00:00 4624 Network logon 12:00:00 4672 Admin rights 12:00:15 5140 Network share Microsoft-Windows-TaskScheduler%4Operational.evtx 12:02:23 106 Task scheduled 12:03:00 200 Task executed 12:03:12 201 Task completed 12:05:41 141 Task removed 12:07:01 4634 Logoff Timestamp = 2015-02-14 12:05:41 Event ID = 141 TaskName = /At1 UserName = NT AUTHORITY/System

IR Event Log Analysis 14 4634 Logoff 12:00:00 4624 Network logon 12:00:00 4672 Admin rights 12:00:15 5140 Network share Microsoft-Windows-TaskScheduler%4Operational.evtx 12:02:23 106 Timestamp Task scheduled = 2015-02-14 12:07:01 12:03:00 200 Event Task executed ID = 4634 TargetUserSid = S-1-5-21-2723264887-207281631-482592677-2984 12:03:12 201 TargetUserName Task completed = imowned 12:05:41 141 TargetDomainName Task removed = MYDOM TargetLogonId = 0x000000021457dbab LogonType = 3 12:07:01 4634 Logoff

Review What Do We Know? Login events 4624 Who, where from, time 4672 They re an admin 5140 And they mounted a share from Scheduled tasks 106 Job name, who, time 200 Start time and program name 201 Finish time 141 They cleaned up IR Event Log Analysis 15

IR Event Log Analysis 16 Example: Domain Controller of Doom! Malicious RDP activty Two different RATs? Not so much

IR Event Log Analysis 17 RDP Event Log Basics Microsoft-Windows-TerminalServices-RemoteConnectionManager 13:00:00 1149 URDOM\owendtu from 192.168.1.10 authenticated Microsoft-Windows-TerminalServices-LocalSessionManager 13:00:41 21 URDOM\owendtu from 192.168.1.10 logon success 14:45:27 23 URDOM\owendtu logoff 14:45:32 24 URDOM\owendtu from 192.168.1.10 disconnect

IR Event Log Analysis 18 RDP Event Log Permutations Microsoft-Windows-TerminalServices-RemoteConnectionManager 15:00:00 1149 URDOM\owendtu from 192.168.1.10 authenticated Microsoft-Windows-TerminalServices-LocalSessionManager 15:00:32 21 URDOM\owendtu from 192.168.1.10 logon success Microsoft-Windows-TerminalServices-RemoteConnectionManager 16:00:00 1149 URDOM\owendtu from 192.168.100.102 authenticated Microsoft-Windows-TerminalServices-LocalSessionManager 16:00:10 25 - URDOM\owendtu from 192.168.100.102 reconnect 16:00:12 24 URDOM\owendtu from 192.168.1.10 disconnect

Bonus Clue! Timestamp: 2015-03-17 15:00:12 Event ID: 45 (Symantec Endpoint Protection Client.evtx) Scan type: Tamper Protection Scan Event: Tamper Protection Detection Security risk detected: C:/WINDOWS/SYSWOW64/SVCHOST.EXE File: C:/Program Files (x86)/symantec/symantec Endpoint Protection/ 12.1.2015.2015.105/Bin64/Smc.exe Location: C:/Program Files (x86)/symantec/symantec Endpoint Protection/ 12.1.2015.2015.105/Bin64 Computer: OWNDC User: owendtu Action taken: Leave Alone Date found: Tuesday- March 17-2015 15:00:10 IR Event Log Analysis 19

More Malware! Timestamp = 2015-03-17 16:13:22 Event ID = 7045 (System.evtx) ServiceName = Nothing to See Here ImagePath = C:\Windows\Temp\NTSH.exe ServiceType = user mode service StartType = auto start AccountName = LocalSystem IR Event Log Analysis 20

IR Event Log Analysis 21 Summary Other Places to Look RDP logs last longer than Application logs can have clues System.evtx tracks service creation, etc

IR Event Log Analysis 22 Wrapping Up Any final questions? Can I have that survey link please?

IR Event Log Analysis Hal Pomeranz / hal@sans.org / @hal_pomeranz Take FOR508: Advanced Digital Forensics & Incident Response sans.org/for508 23