Yearly Archives: 2019

Event Logs++

Posted on by

Inspired by Samir’s findings about “programs running from Run/RunOnce Auto startup locations using events Microsoft-Windows-Shell-Core/Operational EID 9707/9708“, I decided to go through all the win10 Event Logs on my test box.

Just causally browsing through these I was able to quickly find a number of interesting (DFIR-wise) logs that I was not aware of. I am pretty sure many researchers did that before, but I thought it will be an interesting exercise anyway, given (at least in my experience) there is a significant difference between logs available on different systems…

Before we continue, let me repeat what I said on Twitter – you should follow Samir – he has some great Threat Hunting examples in his Twitter feed!

All the logs listed below are located under: Applications and Services Logs\Microsoft\Windows. It’s obviously far from a complete list, but if you never looked at these, perhaps this post will motivate you to poke around…

  • Alternative way of tracking system date/time changes.
    • DateTimeControlPanel\Operational
      • e.g. The system time was set successfully with the following parameters: wYear: 2015, wMonth: 6, wDayOfWeek: 1, wDay: 22, wHour: 12, wMinute: 54, wSecond: 4, wMilliseconds: 0.
    • Time-Service\Operational
  • Program/App Execution
    • Application-Experience\<various>
    • CodeIntegrity\Operational
    • App* e.g.
      • AppModel-Runtime\Admin
      • AppReadiness\Operational
    • Win32k\Operational
  • DHCP changes
    • Dhcp-Client\Microsoft-Windows-DHCP Client Events\Admin
    • DHCPv6-Client\Microsoft-Windows-DHCPv6 Client Events\Admin
  • Various diagnostic logs that may point to existing files on the system that in turn may contain references to interesting artifacts
    • Diagnostics-*
  • References to USB devices
    • DriverFrameworks-UserMode\Operational
  • References to modifications of Regional Settings/Languages
    • Internationl\Operational
      • e.g. Process number 3056 (C:\Windows\system32\rundll32.exe) called SetUserGeoID(104) successfully.
    • International-RegionalOptionsControlPanel\Operational
      • e.g. The user changed their location preference (GeoID) to 104.
  • References to Kernel Event Tracing
    • Kernel-EventTracing\Admin
  • History of Network profiles
    • NetworkProfile\Operational
  • History of issues with network gateway
    • NlaSvc\Operational
  • User logon events are listed here
    • OfflineFiles\Operational
    • User Profile Service\Operational
  • Changes of the default printer
    • PrintService\Admin
  • Terminal services logons
    • TerminalServices-ClientActiveXCore\Microsoft-Windows-TerminalServices-RDPClient/Operational
    • TerminalServices-LocalSessionManager\Operational
  • LiveID-related logs
    • LiveId\Operational
  • Security Mitigations (not sure what it is, but seems to be detecting dynamic code)
    • Security-Mitigations\Operational
  • Lots of Shell-related activities
    • Shell-Core\*
  • SMB logs
    • SMBClient\*
    • SMBServer\*

Can we stop detecting mimikatz please?

Posted on by

Obviously, the title of this post is a joke. We should be detecting mimikatz as a priority. What I’d like to explore though is how to go a little bit further…

I was playing a lot with sysmon config recently, and spotted that there are at least two underutilized events that are most of the time omitted from the publicly available sysmon configs. And if they are included, they typically focus on mimikatz.

These are:

  • ProcessAccess
  • ImageLoaded

After a short discussion on Twitter, I decided to write a post about these two.

The ProcessAccess is an event that is triggered when process tries to get access to another process, and succeeds. Once you get the access granted, the process handle is given to your process, and you can use it in subsequent calls to allocate virtual memory, write to memory, read from memory, etc. – you pretty much can do whatever you want with that process.

Not so fast though.

The rights you are granted depend on many things. If you want to know more, go to MSDN and read about it, for our discussion we just need to focus on two things:

  • ProcessAccess event logs _granted_ access events; it means they were successful.
  • ProcesAccess is very noisy; this is because lots of processes abuse inter-process communication, and often request too many rights than they really need. See examples below:

This is why sysmon logs for the ProcessAccess event are very frustrating. There are just too many of them!

The good news is that we can do two things:

  • Focus on specific use cases, e.g. access to lsass.exe
  • Filter down the rest and look for some interesting cases.

The first one has been documented in many papers, mainly focused on mimikatz detection. The second one is what I will describe briefly below:

Assuming that you log every ProcessAccess event at first, you can try to add exclusions:

  • GrantedAccess – exclude all that don’t include PROCESS_VM_WRITE and/or PROCESS_VM_READ; unfortunately, there is a lot of combinations and you need to build a number of rules to cover it all as sysmon doesn’t offer bitmask condition
  • CallTrace – this is handy, you can immediately cherry-pick anything that includes the string ‘UNKNOWN’ (meaning that the sysmon can’t resolve the address of code from where the OpenProcess function was called to a specific image on the system)
  • SourceImage – you can exclude the system processes; this is a bit of a stretch, because if malware is using some trick to inject code into e.g. svchost.exe, it means that any code injections originating from svchost.exe won’t be seen in sysmon logs; you have been warned
  • TargetImage – this is a tough one for exclusions; probably most of the system binaries are safe, but are they… malware can launch any of them in a suspended state and inject code into them; again, you have been warned

What about the ImageLoaded?

This is a tricky one. We don’t want to see OS libs, we don’t want to see clean libs. We only want to see suspicious libs.

Some configs look specifically at these:

  • mimilib.dll
  • WinSCard.dll
  • samlib.dll
  • System.Management.Automation

Some analysts suggest looking for vbe*.dll loaded into Office programs to detect Macros being executed.

Still, these focus on a very narrow set of use cases i.e. mimikatz PowerShell libraries, Office Macros.

But there is always more.

What about these?

  • nspr4
  • nss3
  • nssutil3
  • plc4
  • plds4
  • softokn3
  • sqlite3
  • Pstorec
  • *hook*
  • KillProcDLL
  • SelfDel
  • airpcap
  • ndisnpp
  • NPPTools
  • wpcap

Many of these are related to malicious activity one way or another. Some are from old malware, some only work on Windows XP or Windows 7, but it doesn’t change a thing. Even an old commodity malware needs to be detected, if accidentally executed, no? Same for functionality that some of these libraries offer – network sniffing, generic hooking, password decryption, killing processes, self deletion, etc.

And in an extreme case, we could build a baseline of all DLLs executed on all monitored systems over a period of time, and then build exclusion rules for all of them. Any new DLL could be highlighted.

There is no simple way to put together a config that will cater for all cases, but I think we need more rules that go beyond the mimikatz detection.

Any suspicious process that we can spot quickly by seeing it establishing access to other process it is us discovering a precursor to code/data injection. Any process that loads a blacklisted DLL needs to be inspected pronto.