CNIT 152 12. Investigating Windows Systems (Part 3)

CNIT 152:
Incident
Response
12 Investigating Windows System
s

(Part 3)
Updated 11-11-21

Other Artifacts of Interactive
Sessions

Interactive Sessions
• For the purposes of this section, include
s

• Login with user at the consol
e

• Remote Desktop session
s

• Screen sharing (via VNC or similar software)

LNK Files
• Shortcuts to
fi
le
s

• Serve as extensions to Windows Explore
r

• Windows automatically creates LNKs for every
opened
fi
l
e

• To populate "Recent Files
"

• Separate list in each user pro
fi
le

Timeline
• LNK
fi
les can show just what a user di
d

• Which
fi
les were accessed, and in what order

Jump Lists
• Right-click a
taskbar icon to
show recently used
item
s

• Word shows recent
Word
fi
les, etc.

Where Jump Lists are
Stored
• Not human-readable, you need tool
s

• JumpLister for Windows 7-
8

• JLECmd for Windows 10 (link Ch 12t)

The Recycle Bin
• Located in $Recycle.Bi
n

• Contains
fi
les deleted from the hard dis
k

• But not if deleted from removable drive
s

• Or from the Command Promp
t

• Or with Shift+Delete

Ri
fi
uti2 Tool
• Link Ch 12u

Types of Memory
• Physical (RAM chips
)

• Page
fi
l
e

• Data moved out of RAM onto the hard dis
k

• %SYSTEMDRIVE%page
fi
le.sys

Crash Dumps
• Can be produced when Windows crashes with
the "Blue-Screen of Death
"

• Three level
s

• Kernel Memory Dump (default
)

• Small Memory Dump (Minidump
)

• Complete Memory Dump

Crash Dump Storage
• %LOCALAPPDATA%Crashdump
s

• Complete Memory Dump is most useful typ
e

• But it's rarely turned on

Hibernation Files
• Saves the full contents of RAM on dis
k

• %SYSTEMDRIVE%Hiber
fi
l.sy
s

• It's compressed and includes metadat
a

• Link Ch 8
t

• Volatility can parse it

Running Processes
• Volatility can recover

Handles
• Used to access
fi
les, devices, and more from
softwar
e

• Can help when analyzing malwar
e

• Mutants or Mutexes are used for inter-process
communicatio
n

• To lock a resource so no other process
changes it while it's in us
e

• Used by malware to prevent re-infection

Handles for Zeus
• Mutant _AVIRA_2108 is a
fi
ngerprint of Zeu
s

• Link Ch 12u

Memory Sections
• Each process has a virtual address spac
e

• Including RAM and some disk space in the
page
fi
l
e

• The OS swaps data in and out of physical
memor
y

• Virtual Address Descriptor (VAD) tre
e

• A kernel data structure that shows how
memory is used by each process (link Ch 12v)

Detecting Malicious DLLs
• Check for valid digital signature
s

• Known-good or -bad hash value
s

• Evidence of process-tampering attack
s

• Malware loading a DLL surreptitiously or
running code in memory

Other Memory Artifacts
• Network connection
s

• Loaded driver
s

• Runs in kernel, with elevated privilege
s

• Console command histor
y

• Strings in memor
y

• Credentials

Page
fi
le Analysis
• Has no intrinsic structur
e

• Can search for string
s

• Be careful: antivirus and host-based intrusion
detection systems leave signatures in the
page
fi
l
e

• Suspicious IP addresses, domain names,
and malware
fi
lename
s

• Windows can clear the page
fi
le on shutdown,
but this is not its default setting

Analyzing Common
 
In-Memory Attacks
• Process injectio
n

• Hooking

Process Injection
• A malicious injecting process causes a
legitimate process (injected) to load and
execute malicious cod
e

• In-memory attac
k

• Disk
fi
les do not chang
e

• Injected process has no evidence indicating
which process was responsible for the injection

Methods of Process
Injection
• Use Windows APIs (requires Administrator or
SYSTEM privileges
)

• Force target process to load a malicious DLL
from dis
k

• Directly write malicious code to target
process's memory and invoke a remote thread
to execute it

Process Replacement
• Malware launches a legitimate executable in a
suspended stat
e

• Then overwrite process memory with malicious
cod
e

• Unsuspend it to execute

Detecting Malicious
Injection
• Memory sections with Execute, Read and Write
permission
s

• Processes that don't match corresponding disk
fi
le
s

• Links Ch 12w, 12x

Sysmon Detecting Injection
https://letsdefend.io/blog/process-injection-detection-with-sysmon/

Finding Persistence
Mechanisms
• The injecting process needs a persistence
mechanism to survive reboot
s

• So it may be found i
n

• Auto-run keys, DLL load-order hijacking, etc.

Hooking
• Allows code within running processes to
intercept, modify, and view events such as
function calls and data they retur
n

• Windows provides many API mechanisms to do
thi
s

• Used by legitimate program
s

• Antivirus, host-based intrusion detection
systems, application inventory software

Malicious Hooking
• Rootkits use hooking to hide
fi
les, processes,
registry keys, or network connection
s

• Keyloggers may use SetWindowsHookEx to
cause a malicious DLL function to be called
whenever a keyboard event occur
s

• Or use GetAsyncKeyState to constantly check
the up/down state of keys

Types of Hooks
• Manipulate a process's Import Address Tabl
e

• So it calls malicious functions instead of
legitimate system function
s

• Hook kernel structures such as the Interrupt
Descriptor Table (IDT) and System Service
Dispatch Table (SSDT
)

• Prevented on modern Windows systems by
Kernel Patch Protection (KPP)

Zeus Hook
• The next slide shows the output of
"apihooks" (a Volatility plugin
)

• On a system infected with Zeu
s

• Shows an inline hook to the HttpSendRequestA
function imported from WinInet.dll within the
process space of lsass.exe

Memory Analysis Tools
• Acquisition tool
s

• FTK Image
r

• DumpI
t

• Memoryz
e

• Velocirapto
r

• Analysis tool
s

• Memoryz
e

• Volatility

Alternative Persistence
Mechanisms

Alternative Persistence
Mechanisms
• Startup folder
s

• Recurring task
s

• System binary modi
fi
catio
n

• The sticky keys attac
k

• DLL load-order hijacking

Startup Folders
• Any program or shortcut in this folder is
launche
d

• On startup or login

Recurring Tasks
• Use "at" or "schtasks" command
s

• To make a task that recurs at regular times or
days of the wee
k

• Future and recurring scheduled tasks persist as
.job
fi
les in %SYSTEMROOT%Tasks

System Binary Modi
fi
cation
• Modify existing Windows binar
y

• Typically one automatically loaded on bootup
or logi
n

• Add malicious cod
e

• Time-stom
p

• Will change MD5 hash and break signature, but
not all legitimate binaries are signed

Careful Modi
fi
cations
• Changes that cause Windows to crash or impair
user experience will limit the attacker's ability to
persis
t

• Attackers are more likely to replace noncritical
executables or libraries

Defenses
• Windows File Protection in older versions
of Windows (XP, 2000
)

• Easily bypassed by a local Administrato
r

• Replaced by Windows Resource Protection
(WRP) in Windows Vista and late
r

• Requires TrustedInstaller permissions to
alter WFP-governed resource
s

• More resistant to tampering

The Sticky Keys Attack
• Targets sethc.ex
e

• A
fi
le that provides accessibility feature
s

• Replace sethc.exe with cmd.ex
e

• Press Shift key
fi
ve times before logo
n

• A command shell opens with SYSTEM
privilege
s

• Even works during a Remote Desktop
Protocol session

• No longer works on Vista and later version
s

• But there's another way to get the same result
The Sticky Keys Attack

DLL Load-Order Hijacking
• DLLs are loaded when a program launche
s

• But DLLs might be in many different folder
s

• "KnownDLLs" registry key lists known system
DLLs and ensures that they are always loaded
from %systemroot%System32

DLL Load-Order Hijacking
Works When:
• ntshrui.dll is loaded by Windows Explorer and is
vulnerabl
e

• A malicious ntshrui.dll in %systemroot% will
launch when Explorer does

CNIT 152 12. Investigating Windows Systems (Part 3)

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a CNIT 152 12. Investigating Windows Systems (Part 3)

Similar a CNIT 152 12. Investigating Windows Systems (Part 3) (20)

Más de Sam Bowne

Más de Sam Bowne (20)

Último

Último (20)

CNIT 152 12. Investigating Windows Systems (Part 3)