Yearly Archives: 2019

Don’t stress about a bit of stress testing

Posted on by

What if… we added 100K HKCU\…\Run keys to the Registry?

What will be the impact on the system? What will be impact on the EDR tools? Sysmon? Windows Event Logs? Autoruns? Regedit?

I prepared a test Reg file with 100K dummy HKCU\…\Run entries – click to download it. I then imported them to the Registry.

It actually took a while.

During this time the GUI version of Regedit.exe pointing to HKCU\…\Run entries was DoSd. I am not sure if it was because of slow enumeration of the Run key entries at that moment (while they key was being updated), or it was simply locked due to a second instance of regedit.exe running (and busy adding entries) – perhaps the program is using some blocking mechanism e.g. mutex to avoid concurrent access to the same resources. In any case, this took a few minutes.

Sysmon was running in the background, and intercepted all the entries with no problem. All good.

Unfortunately, EDR tests are harder, because tools are not available to public. You should perhaps try to test it with your EDR, because it may show some interesting gaps…

Running GUI version of Autoruns takes a long time – it is not only a large number of items to enumerate, Autoruns populates GUI as it reads the values – perhaps updates should be done in one go? with the window painting temporarily disabled(?).

When ran from command line, autorunsc.exe ran for less than 30 seconds to enumerate everything which is pretty good. I believe that it would change dramatically if the dummy files actually existed on the system (in my test entries point to non-existing files).

I guess a similar test could be run with processes. Grab a dummy file, rename and run it 100K times and see what happens…

Timestomping and event spoofing in the cloud?

Posted on by

When events are logged on the endpoint there is an unspoken trust that the log writing code puts in the OS. The trust that the OS will provide an accurate timestamp so the log can be valid. This trust is very important, because when it is not there, all the logs are not worth a dime… Something happened, but no one knows exactly when.

Obviously, anyone who ever changed time on their system, cracked a basic, time-based software protection, used a timestomp tool, or manually edited binary timestamps knows that these can be manipulated.

I wonder to what extent testing has been done on forensic tools to see how such manipulations affects the results of analysis, and in particular, the resulting timelines, and perhaps even how it affected some court cases. If you know any research on this subject I’d love to hear from you.

The complications that network brings to the table are even more interesting. If we barely can trust the timestamps on the host, what about the host managed over the network? Assuming that we have a number of systems that collect, and cache/forward events from the endpoint to the server, could these events be cleverly timestomped / manipulated / spoofed in any way?

This is purely theoretical, I have not tested any security solution for susceptibility to this kind of attack, but I thought it’s an interesting idea to throw out there. I will be happy if anyone debunks it, or perhaps someone on the red team side finds enough interest in it to take it further and maybe even develop a POC. Plus, I bet I am not the only one thinking of this, so maybe there exist a body of knowledge that already deals with it, and I just missed it?

Say, we have two systems, A and B. A is clean, and B is under the control of an attacker.

If the logs:

  • are being collected on the endpoint and events are cached, and sent in batches, or forwarded immediately
  • the events are collected / forwarded in their ‘final’ stage i.e. data enriched, and include all the fields that must be transmitted to the central repository – i.e. tuples ready to be stored on the server side
  • these tuples can be manipulated (on disk or in memory)
  • the central repository ingests logs in a way they arrive i.e. not verifying the content of the individual events e.g.
    • are all timestamps ok?
    • is hostname/ip in the logs the same as the hostname/ip that claims to be the source of the logs?
    • perhaps other checks (integrity, etc.)

If this is the case, then there is a theoretical possibility of host B being able to inject fake events for host A and storing it on the central server.

The consequences could be very interesting:

  • Alerts about bad stuff would be coming from A instead of B.
  • Timelines of both systems could be manufactured / redacted.
  • Manhours lost on chasing unicorns and manual forensics would be possibly long.

Again, I have not tested it and it could be just a silly idea that cannot be implemented in practice, because the logs are handled properly by all the security solutions, or perhaps there is a flaw in my reasoning (e.g. some sort of non-repudiation/integrity check / challenge for the sources, timestamps and the content is always present in all security solutions for ages?).

In any case, it’s the good ol’ idea of IP address spoofing applied to the events. Timestomping can be an added bonus.