So the third and final offering of Bejtlich's excellent tactical seminar recently took place at Blackhat 2012. One of the exercises featured a client side PDF based exploit and one of the questions was whether it could be determined if the target user had opened the malicious PDF using the available forensic data. In the scenario, it was inferred that the target had opened the PDF by virtue of the process tracking data indicating an Adobe PDF reader process had started and exited. A better data point, and a more precise answer to the question of whether a malicious file has been opened, would be the read events for the PDF file itself.
With file event auditing enabled, we can see all of the file events associated with the exploitation cycle from the arrival of the malicious PDF to its opening. The first file events relevant to this incident are the write events associated with the arrival of the PDF file named 2011_prc_navy_projection.pdf; it came in via FTP and so was written by PID 1820, the ftp server process ftpbasicsvr.exe:
Jul 24 17:53:58 172.16.151.242 Jul 24 10:54:01 fdcc_xp_vhd MSWinEventLog 4 Security 1195 Tue Jul 24 10:53:59 2012 560 Security Renamed_Admin User Success Audit FDCC_XP_VHD Object Access Object Open: Object Server: Security Object Type: File Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf Handle ID: 220 Operation ID: {0,691437} Process ID: 1820 Image File Name: C:\Program Files\easyftpsvr-1.7.0.2\ftpbasicsvr.exe Primary User Name: Renamed_Admin Primary Domain: FDCC_XP_VHD Primary Logon ID: (0x0,0x13DC1) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Privileges: - Restricted Sid Count: 0 1159
Jul 24 17:53:58 172.16.151.242 Jul 24 10:54:01 fdcc_xp_vhd MSWinEventLog 4 Security 1190 Tue Jul 24 10:53:59 2012 560 Security Renamed_Admin User Success Audit FDCC_XP_VHD Object Access Object Open: Object Server: Security Object Type: File Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf Handle ID: 220 Operation ID: {0,691435} Process ID: 1820 Image File Name: C:\Program Files\easyftpsvr-1.7.0.2\ftpbasicsvr.exe Primary User Name: Renamed_Admin Primary Domain: FDCC_XP_VHD Primary Logon ID: (0x0,0x13DC1) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Privileges: - Restricted Sid Count: 0 1154
Jul 24 17:53:58 172.16.151.242 Jul 24 10:54:01 fdcc_xp_vhd MSWinEventLog 4 Security 1190 Tue Jul 24 10:53:59 2012 560 Security Renamed_Admin User Success Audit FDCC_XP_VHD Object Access Object Open: Object Server: Security Object Type: File Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf Handle ID: 220 Operation ID: {0,691435} Process ID: 1820 Image File Name: C:\Program Files\easyftpsvr-1.7.0.2\ftpbasicsvr.exe Primary User Name: Renamed_Admin Primary Domain: FDCC_XP_VHD Primary Logon ID: (0x0,0x13DC1) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Privileges: - Restricted Sid Count: 0 1154
Next is the read event of the PDf associated with a user enumerating the file in windows explorer (explorer.exe is the default shell and file manager in Windows):
Jul 24 17:58:08 172.16.151.242 Jul 24 10:58:11 fdcc_xp_vhd MSWinEventLog 4 Security 3757 Tue Jul 24 10:58:08 2012 560 Security Renamed_Admin User Success Audit FDCC_XP_VHD Object Access Object Open: Object Server: Security Object Type: File Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf Handle ID: 2296 Operation ID: {0,781123} Process ID: 2036 Image File Name: C:\WINDOWS\explorer.exe Primary User Name: Renamed_Admin Primary Domain: FDCC_XP_VHD Primary Logon ID: (0x0,0x13DC1) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Privileges: - Restricted Sid Count: 0 3721
If this event were not followed by the subsequent events, we would know the user listed the directory in the Windows explorer but did not open it in Acrobat. The next events answer the question of whether the file was opened. In the file events below, we can see the PDF file 2011_prc_navy_projection.pdf opened by the Acrobat reader process. The events include the PID and image path for the Reader program, the absolute path for the file being opened, the userID who opened the file, the handle ID, and the name of the domain context the user was from. With these events, we can positively determine the user Renamed_Admin opened the PDF file 2011_prc_navy_projection.pdf on the Windows computer FDCC_XP_VHD.
Jul 24 17:58:34 172.16.151.242 Jul 24 10:58:36 fdcc_xp_vhd MSWinEventLog 4 Security 4040 Tue Jul 24 10:58:29 2012 560 Security Renamed_Admin User Success Audit FDCC_XP_VHD Object Access Object Open: Object Server: Security Object Type: File Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf Handle ID: 620 Operation ID: {0,803281} Process ID: 1076 Image File Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe Primary User Name: Renamed_Admin Primary Domain: FDCC_XP_VHD Primary Logon ID: (0x0,0x13DC1) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Privileges: - Restricted Sid Count: 0 4004
Jul 24 17:58:34 172.16.151.242 Jul 24 10:58:36 fdcc_xp_vhd MSWinEventLog 4 Security 4037 Tue Jul 24 10:58:29 2012 560 Security Renamed_Admin User Success Audit FDCC_XP_VHD Object Access Object Open: Object Server: Security Object Type: File Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf Handle ID: 604 Operation ID: {0,803060} Process ID: 1076 Image File Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe Primary User Name: Renamed_Admin Primary Domain: FDCC_XP_VHD Primary Logon ID: (0x0,0x13DC1) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Privileges: - Restricted Sid Count: 0 4001
Jul 24 17:58:34 172.16.151.242 Jul 24 10:58:36 fdcc_xp_vhd MSWinEventLog 4 Security 4034 Tue Jul 24 10:58:29 2012 560 Security Renamed_Admin User Success Audit FDCC_XP_VHD Object Access Object Open: Object Server: Security Object Type: File Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf Handle ID: 604 Operation ID: {0,803053} Process ID: 1076 Image File Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe Primary User Name: Renamed_Admin Primary Domain: FDCC_XP_VHD Primary Logon ID: (0x0,0x13DC1) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Privileges: - Restricted Sid Count: 0 3998
Jul 24 17:58:08 172.16.151.242 Jul 24 10:58:11 fdcc_xp_vhd MSWinEventLog 4 Security 3784 Tue Jul 24 10:58:09 2012 560 Security Renamed_Admin User Success Audit FDCC_XP_VHD Object Access Object Open: Object Server: Security Object Type: File Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf Handle ID: 528 Operation ID: {0,784354} Process ID: 1112 Image File Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe Primary User Name: Renamed_Admin Primary Domain: FDCC_XP_VHD Primary Logon ID: (0x0,0x13DC1) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Privileges: - Restricted Sid Count: 0 3748
Jul 24 17:58:08 172.16.151.242 Jul 24 10:58:11 fdcc_xp_vhd MSWinEventLog 4 Security 3781 Tue Jul 24 10:58:09 2012 560 Security Renamed_Admin User Success Audit FDCC_XP_VHD Object Access Object Open: Object Server: Security Object Type: File Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf Handle ID: 524 Operation ID: {0,784085} Process ID: 1112 Image File Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe Primary User Name: Renamed_Admin Primary Domain: FDCC_XP_VHD Primary Logon ID: (0x0,0x13DC1) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Privileges: - Restricted Sid Count: 0 3745
This kind of data is useful to have when a malicious PDF
is in circulation and targets are being actively exploited; if you can
determine who has opened the file, you can increase your response time
by getting to the probable victims first, rather than simply working through a
long list of recipients or waiting for secondary detects to arrive.
The data-set we used also had process tracking events for the meterpreter instance, the exploit payload, as you can see below:
Jul 24 19:32:28 172.16.151.242 Jul 24 12:32:31 fdcc_xp_vhd MSWinEventLog 0 Security 60887 Tue Jul 24 12:32:28 2012 593 Security SYSTEM User Success Audit FDCC_XP_VHD Detailed Tracking A process has exited: Process ID: 788 Image File Name: C:\WINDOWS\msRsPpwl.exe User Name: FDCC_XP_VHD$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) 60846
Jul 24 19:32:28 172.16.151.242 Jul 24 12:32:31 fdcc_xp_vhd MSWinEventLog 0 Security 60885 Tue Jul 24 12:32:28 2012 592 Security SYSTEM User Success Audit FDCC_XP_VHD Detailed Tracking A new process has been created: New Process ID: 788 Image File Name: C:\WINDOWS\msRsPpwl.exe Creator Process ID: 532 User Name: FDCC_XP_VHD$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) 60844
Jul 24 19:32:28 172.16.151.242 Jul 24 12:32:31 fdcc_xp_vhd MSWinEventLog 0 Security 60885 Tue Jul 24 12:32:28 2012 592 Security SYSTEM User Success Audit FDCC_XP_VHD Detailed Tracking A new process has been created: New Process ID: 788 Image File Name: C:\WINDOWS\msRsPpwl.exe Creator Process ID: 532 User Name: FDCC_XP_VHD$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) 60844
The meterpreter process spawned by the pdf exploit in this case looks to have loaded from an image in %SystemRoot%. If object access auditing were enabled there, we should also see the image file write that preceded the process create event. All of these meterpreter events are compromise detection candidates because the meterpreter's name does not resemble any normal image found there - the unusual mixed case name format could probably be described in a regex - so both the file write and the process create are suspicious. Also suspicious is the fact that the meterpreter starts as SYSTEM, a local Windows user with essentially unlimited privileges normally used by a few well-known components of Windows.
Figure 1. Audit object access |
You may be wondering why a file read creates multiple events. In fact, there are over a dozen events generated during this simple PDF file open involving the Windows explorer, Acrobat reader and something called AcroRd32Info.exe which may be part of Acrobat's DRM implementation or perhaps an auto-update mechanism. The Windows auditing subsystem is designed to provide for audit trails in great detail, down to the transaction level, which is good for forensics and detection. I realize, of course, this sort of detailed instrumentation has a time, effort and storage cost at scale; however, the requirement here in this exercise is to solve for detection, not disk space.
Figure 2. Configuring Auditing on a Directory |
Obtaining file read events under Windows requires a few steps:
1. Enable object access logging in the local security policy, or more likely, via group policy in a domain (see figure 1)
2. Navigate to the Security tab in the properties dialog on a directory
3. Click the "advanced" button and navigate to the Auditing tab
4. Enable auditing on important directories of interest (see figure 2)
5. Using Snare or an equivalent forwarder, send event logs to a log aggregation and / or correlation tool where you can make use of them. One low-cost option for log collection (at small scale) would be the Security Onion distro.
No comments:
Post a Comment