Tuesday, August 21, 2012

Windows Forensics Using Object Access Event Logs

So the third and final offering of Bejtlich's excellent tactical seminar recently took place at Blackhat 2012. One of the exercises featured a client side PDF based exploit and one of the questions was whether it could be determined if the target user had opened the malicious PDF using the available forensic data. In the scenario, it was inferred that the target had opened the PDF by virtue of the process tracking data indicating an Adobe PDF reader process had started and exited. A better data point, and a more precise answer to the question of whether a malicious file has been opened, would be the read events for the PDF file itself. 

With file event auditing enabled, we can see all of the file events associated with the exploitation cycle from the arrival of the malicious PDF to its opening. The first file events relevant to this incident are the write events associated with the arrival of the PDF file named 2011_prc_navy_projection.pdf; it came in via FTP and so was written by PID 1820, the ftp server process ftpbasicsvr.exe:

Jul 24 17:53:58 172.16.151.242 Jul 24 10:54:01 fdcc_xp_vhd MSWinEventLog    4    Security    1195    Tue Jul 24 10:53:59 2012    560    Security    Renamed_Admin    User    Success Audit    FDCC_XP_VHD    Object Access        Object Open:     Object Server: Security     Object Type: File     Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf     Handle ID: 220     Operation ID: {0,691437}     Process ID: 1820     Image File Name: C:\Program Files\easyftpsvr-1.7.0.2\ftpbasicsvr.exe     Primary User Name: Renamed_Admin     Primary Domain: FDCC_XP_VHD     Primary Logon ID: (0x0,0x13DC1)     Client User Name: -     Client Domain: -     Client Logon ID: -     Accesses: READ_CONTROL  SYNCHRONIZE  WriteData (or AddFile)  AppendData (or AddSubdirectory or CreatePipeInstance)  WriteEA  ReadAttributes  WriteAttributes       Privileges: -     Restricted Sid Count: 0        1159 

Jul 24 17:53:58 172.16.151.242 Jul 24 10:54:01 fdcc_xp_vhd MSWinEventLog    4    Security    1190    Tue Jul 24 10:53:59 2012    560    Security    Renamed_Admin    User    Success Audit    FDCC_XP_VHD    Object Access        Object Open:     Object Server: Security     Object Type: File     Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf     Handle ID: 220     Operation ID: {0,691435}     Process ID: 1820     Image File Name: C:\Program Files\easyftpsvr-1.7.0.2\ftpbasicsvr.exe     Primary User Name: Renamed_Admin     Primary Domain: FDCC_XP_VHD     Primary Logon ID: (0x0,0x13DC1)     Client User Name: -     Client Domain: -     Client Logon ID: -     Accesses: READ_CONTROL  SYNCHRONIZE  WriteData (or AddFile)  AppendData (or AddSubdirectory or CreatePipeInstance)  WriteEA  ReadAttributes  WriteAttributes       Privileges: -     Restricted Sid Count: 0        1154

Next is the read event of the PDf associated with a user enumerating the file in windows explorer (explorer.exe is the default shell and file manager in Windows):

Jul 24 17:58:08 172.16.151.242 Jul 24 10:58:11 fdcc_xp_vhd MSWinEventLog    4    Security    3757    Tue Jul 24 10:58:08 2012    560    Security    Renamed_Admin    User    Success Audit    FDCC_XP_VHD    Object Access        Object Open:     Object Server: Security     Object Type: File     Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf     Handle ID: 2296     Operation ID: {0,781123}     Process ID: 2036     Image File Name: C:\WINDOWS\explorer.exe     Primary User Name: Renamed_Admin     Primary Domain: FDCC_XP_VHD     Primary Logon ID: (0x0,0x13DC1)     Client User Name: -     Client Domain: -     Client Logon ID: -     Accesses: READ_CONTROL  SYNCHRONIZE  ReadData (or ListDirectory)  ReadEA  ReadAttributes       Privileges: -     Restricted Sid Count: 0        3721

If this event were not followed by the subsequent events, we would know the user listed the directory in the Windows explorer but did not open it in Acrobat. The next events answer the question of whether the file was opened. In the file events below, we can see the PDF file  2011_prc_navy_projection.pdf opened by the Acrobat reader process. The events include the PID and image path for the Reader program,  the absolute path for the file being opened, the userID who opened the file, the handle ID, and the name of the domain context the user was from. With these events, we can positively determine the user Renamed_Admin opened the PDF file 2011_prc_navy_projection.pdf on the Windows computer FDCC_XP_VHD.

Jul 24 17:58:34 172.16.151.242 Jul 24 10:58:36 fdcc_xp_vhd MSWinEventLog    4    Security    4040    Tue Jul 24 10:58:29 2012    560    Security    Renamed_Admin    User    Success Audit    FDCC_XP_VHD    Object Access        Object Open:     Object Server: Security     Object Type: File     Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf     Handle ID: 620     Operation ID: {0,803281}     Process ID: 1076     Image File Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe     Primary User Name: Renamed_Admin     Primary Domain: FDCC_XP_VHD     Primary Logon ID: (0x0,0x13DC1)     Client User Name: -     Client Domain: -     Client Logon ID: -     Accesses: READ_CONTROL  SYNCHRONIZE  ReadData (or ListDirectory)  ReadEA  ReadAttributes       Privileges: -     Restricted Sid Count: 0        4004

Jul 24 17:58:34 172.16.151.242 Jul 24 10:58:36 fdcc_xp_vhd MSWinEventLog    4    Security    4037    Tue Jul 24 10:58:29 2012    560    Security    Renamed_Admin    User    Success Audit    FDCC_XP_VHD    Object Access        Object Open:     Object Server: Security     Object Type: File     Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf     Handle ID: 604     Operation ID: {0,803060}     Process ID: 1076     Image File Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe     Primary User Name: Renamed_Admin     Primary Domain: FDCC_XP_VHD     Primary Logon ID: (0x0,0x13DC1)     Client User Name: -     Client Domain: -     Client Logon ID: -     Accesses: READ_CONTROL  SYNCHRONIZE  ReadData (or ListDirectory)  ReadEA  ReadAttributes       Privileges: -     Restricted Sid Count: 0        4001

Jul 24 17:58:34 172.16.151.242 Jul 24 10:58:36 fdcc_xp_vhd MSWinEventLog    4    Security    4034    Tue Jul 24 10:58:29 2012    560    Security    Renamed_Admin    User    Success Audit    FDCC_XP_VHD    Object Access        Object Open:     Object Server: Security     Object Type: File     Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf     Handle ID: 604     Operation ID: {0,803053}     Process ID: 1076     Image File Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe     Primary User Name: Renamed_Admin     Primary Domain: FDCC_XP_VHD     Primary Logon ID: (0x0,0x13DC1)     Client User Name: -     Client Domain: -     Client Logon ID: -     Accesses: READ_CONTROL  SYNCHRONIZE  ReadData (or ListDirectory)  ReadEA  ReadAttributes       Privileges: -     Restricted Sid Count: 0        3998

Jul 24 17:58:08 172.16.151.242 Jul 24 10:58:11 fdcc_xp_vhd MSWinEventLog    4    Security    3784    Tue Jul 24 10:58:09 2012    560    Security    Renamed_Admin    User    Success Audit    FDCC_XP_VHD    Object Access        Object Open:     Object Server: Security     Object Type: File     Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf     Handle ID: 528     Operation ID: {0,784354}     Process ID: 1112     Image File Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe     Primary User Name: Renamed_Admin     Primary Domain: FDCC_XP_VHD     Primary Logon ID: (0x0,0x13DC1)     Client User Name: -     Client Domain: -     Client Logon ID: -     Accesses: READ_CONTROL  SYNCHRONIZE  ReadData (or ListDirectory)  ReadEA  ReadAttributes       Privileges: -     Restricted Sid Count: 0        3748

Jul 24 17:58:08 172.16.151.242 Jul 24 10:58:11 fdcc_xp_vhd MSWinEventLog    4    Security    3781    Tue Jul 24 10:58:09 2012    560    Security    Renamed_Admin    User    Success Audit    FDCC_XP_VHD    Object Access        Object Open:     Object Server: Security     Object Type: File     Object Name: C:\Program Files\easyftpsvr-1.7.0.2\anonymous\2011_prc_navy_projection.pdf     Handle ID: 524     Operation ID: {0,784085}     Process ID: 1112     Image File Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe     Primary User Name: Renamed_Admin     Primary Domain: FDCC_XP_VHD     Primary Logon ID: (0x0,0x13DC1)     Client User Name: -     Client Domain: -     Client Logon ID: -     Accesses: READ_CONTROL  SYNCHRONIZE  ReadData (or ListDirectory)  ReadEA  ReadAttributes       Privileges: -     Restricted Sid Count: 0        3745

This kind of data is useful to have when a malicious PDF is in circulation and targets are being actively exploited; if you can determine who has opened the file, you can increase your response time by getting to the probable victims first, rather than simply working through a long list of recipients or waiting for secondary detects to arrive.

The data-set we used also had process tracking events for the meterpreter instance, the exploit payload, as you can see below:

Jul 24 19:32:28 172.16.151.242 Jul 24 12:32:31 fdcc_xp_vhd MSWinEventLog    0    Security    60887    Tue Jul 24 12:32:28 2012    593    Security    SYSTEM    User    Success Audit    FDCC_XP_VHD    Detailed Tracking        A process has exited:     Process ID: 788     Image File Name: C:\WINDOWS\msRsPpwl.exe     User Name: FDCC_XP_VHD$     Domain: WORKGROUP     Logon ID: (0x0,0x3E7)        60846

Jul 24 19:32:28 172.16.151.242 Jul 24 12:32:31 fdcc_xp_vhd MSWinEventLog    0    Security    60885    Tue Jul 24 12:32:28 2012    592    Security    SYSTEM    User    Success Audit    FDCC_XP_VHD    Detailed Tracking        A new process has been created:     New Process ID: 788     Image File Name: C:\WINDOWS\msRsPpwl.exe     Creator Process ID: 532     User Name: FDCC_XP_VHD$     Domain: WORKGROUP     Logon ID: (0x0,0x3E7)        60844

 
The meterpreter process spawned by the pdf exploit in this case looks to have loaded from an image in %SystemRoot%. If object access auditing were enabled there, we should also see the image file write that preceded the process create event. All of these meterpreter events are compromise detection candidates because the meterpreter's name does not resemble any normal image found there - the unusual mixed case name format could probably be described in a regex - so both the file write and the process create are suspicious. Also suspicious is the fact that the meterpreter starts as SYSTEM, a local Windows user with essentially unlimited privileges normally used by a few well-known components of Windows.

Figure 1. Audit object access
You may be wondering why a file read creates multiple events. In fact, there are over a dozen events generated during this simple PDF file open involving the Windows explorer,  Acrobat reader and something called AcroRd32Info.exe which may be part of Acrobat's DRM implementation or perhaps an auto-update mechanism. The Windows auditing subsystem is designed to provide for audit trails in great detail, down to the transaction level, which is good for forensics and detection. I realize, of course, this sort of detailed instrumentation has a time, effort and storage cost at scale; however, the requirement here in this exercise is to solve for detection, not disk space.





Figure 2. Configuring Auditing on a Directory
Obtaining file read events under Windows requires a few steps:

1. Enable object access logging in the local security policy, or more likely, via group policy in a domain (see figure 1)
2. Navigate to the Security tab in the properties dialog on a directory 
3. Click the "advanced" button and navigate to the Auditing tab
4. Enable auditing on important directories of interest (see figure 2)
5. Using Snare or an equivalent forwarder, send event logs to a log aggregation and / or correlation tool where you can make use of them. One low-cost option for log collection (at small scale) would be the Security Onion distro.


No comments: