Wednesday, June 03, 2009

The Case of the "Default User"

Ever run across a case during which, while examining Internet browser history, you found that the "Default User" had browser history? Ever wondered about that?

Rob "van" Hensing was one of the first I know of to blog about this issue, almost three years ago. Given the time frame, this is a good time to bring this subject up again, don't'cha think?

I've seen this sort of thing in a couple of instances, specifically when SQL injection has been used to gain access to an infrastructure, and the bad guy gets a copy of wget.exe (static PE analysis will tell you if the program accesses the WinInet APIs) onto the system, and then uses that to pull down other files - in many cases, they'd use echo to create an FTP script, then launch the native command line FTP client using the script, or use wget.exe to pull the files down. Why? Well, most times FTP and/or HTTP are allowed out through the firewall.

Good stuff.

4 comments:

Erik H said...

Apart from FTP and HTTP attackers could also chose to retrieve files by using TFTP. TFTP clients are available by default on most OS’s (including Windows). Not many tools can reassemble files sent over TFTP though (probably because it uses UDP for transport). Not even Wireshark.

The only tools I know that can handle this task is TFTPgrab and NetworkMiner

Keydet89 said...

Erik,

Good one, and I have seen TFTP used!

Also, I ran NetworkMiner a couple of times before including it in the book, and it did have trouble reassembling files transmitted via SMB.

Thanks~

jaymcjay said...

It's also fairly common, during the initial build of a standard enterprise image, to do all the profile changes you like to, say, the Administrator account, and then replace the "Default User" profile with the Administrator one. That way new users have the same printers, desktop background, HKCU settings, etc.

It also means browser history would be in the Default User profile.

Keydet89 said...

Interesting...good point, but I can't say that I've ever seen this done.

I've always found the web browser history in the Default User profile well after the system was installed, and correlated it directly to the intrusion/malicious activity.