Thursday, September 04, 2014

What Does That Look Like, Pt II

In my last post, I talked about sharing what things "look like" on a system, and as something of a follow up to that post, this article was published on the Dell SecureWorks blog, illustrating indicators of the use of lateral movement via the 'at.exe' command.  I wanted to take a moment to provide some additional insight into that post, with a view towards potentially-available indicators that did not make it into the article, simply because I felt that they didn't fit with the focus of the article.

Terminology
Some definitions before moving on...I'm providing these as living, "working" definitions that can be tweaked and modified as we go along.  I know that going into this, there will be those who ask for definitions, as well as those who see the definitions and simply say, "no, that's not what that means"...and that's okay.  We have to start somewhere, right?

Artifact - an element of a data source.  A data source might be a Windows Event Log file, and an artifact would be a Windows Event Log record.

Indicator - an artifact, with some sort of context applied to it.  That context may vary, which means the value of the indicator may vary.  As I mentioned before, sharing indicators, even those we've seen before or those we believe others have already seen is very valuable, in that it allows us to increase the reliability of those indicators.

Some mathy stuff to help provide a description...

Indicator = artifact + context

TTPs - clusters of indicators that can be used to illustrate intruder or user actions

Like I said, these are working definitions that can be tweaked and modified, if necessary.  I do think that they are important to have, as it provides us with a common platform from which to launch discussion and discourse.  Too often, discussions get tangled and confused over terminology and definitions, such as the difference between a Registry key and value; the distinction may be subtle, even irrelevant to some, but to others, they speak to the clarity and precision of the discussion.

If you read through the SecureWorks article, you might think that there are some things missing, particularly from the perspective of the source system in the lateral movement.  The article states that the observed indicator of the lateral movement is an application prefetch file for at.exe, and that's pretty much the case.  The purpose of the article is to show those indicators that (a) are not often looked at, and (b) persist well beyond the removal of tools, etc.

It's clear that for this lateral movement to function properly, the file (or files) launched by the Scheduled Task need to be moved to the destination system before the task is registered.  For example, an executable file might be copied to the destination system using a command such as:

cmd.exe - copy rar.exe \\host\c$\windows\tool1.exe

The above command (which I've obfuscated, for obvious reasons) was found on a source system, in the pagefile.  Again, this was found on a source system involved in lateral movement.  This is just an example of what you might find.  Unlike the use of PSExec, the tool/executable being run needs to be available on the destination system before it can be launched via a Scheduled Task, and the use of the copy command, used in conjunction with compromised credentials, is one way to get the file on the destination system.

Now, let's assume that the tool used ("tool1.exe") is, in fact, a copy of rar.exe and is used to archive some files...you might find an at.exe command similar to the below in the pagefile, as well:

cmd.exe - at \\host 3:00am cmd /c
"c:\windows\tool1.exe a c:\windows\m.exe -m5  c:\windows\r.txt"

Again, this is just an example of what you might find...any actual commands used by the intruder would clearly vary based on what they wanted to achieve.

Something to consider with respect to the above command is the time parameter.  In the article, I provided some indicators to look for with respect to the Scheduled Task being registered, and with the use of the time parameter, you may see a time gap between when the task is registered, and when it's actually executed.  I saw one task that was run a full 30 minutes after it had been registered on the destination system.  This can have an effect on your timeline analysis, so be aware/wary of it.

When it's all said and done, the intruder may then delete files used or created using commands similar to the below:

del \\host\c$\windows\r.txt

What's interesting is that, of the above commands (run on the source system during lateral movement), only the one used to create the Scheduled Task (via at.exe) will result in an application prefetch file being created, as indicated in "Source Host" section of the article (NOTE: this will only occur on a system that is configured to create application prefetch files; by default, Windows server systems do NOT create application prefetch files).  Unless you have some instrumentation in place for monitoring process creation and command lines (Sysmon, Carbon Black, etc.), or if you're able to detect this activity and collect a memory sample from a system relatively quickly, you may miss the above indicators extracted from the pagefile.  Keep in mind, too, that the above commands are simply examples, and were found in the pagefile; as such, they have no time stamps associated with them, and cannot be tied directly to what was seen in the article.

Also, one of the things I've talked about at great length is how much what we see on a Windows system is controlled by values in the Registry; the above indicators would have been obviated if the system was configured such that the pagefile was cleared on shutdown, and the system was cleanly shut down prior to an image being acquired.

Finally, once again, the purpose of the article posted to the Dell SecureWorks blog was to illustrate those indicators that tend to persist over time.

5 comments:

Joachim Metz said...

Harlan, first of all it's good that you want to start this discussion.

> Artifact - an element of a data source.
First some context on the term artifact or artefact. I prefer the link with archaeology and not software development.
http://en.wikipedia.org/wiki/Artifact_(archaeology)
http://en.wikipedia.org/wiki/Artifact_(software_development)

"something made or given shape by man, such as a tool or a work of art, esp an object of archaeological interest"

So not a data source per definition I would use the definition:

"An object of digital archaeological interest". Where digital archaeological roughly refers to digital forensics analysis without the forensic part.

> A data source might be a Windows Event Log file, and an artifact would be a Windows Event Log record.

What about the event described by the "Windows Event Log record"? IMO that would be a separate artifact.

So my question to you is the artifact per definition a data source or is it more the data in the "source"?

For dis-ambiguity: http://en.wikipedia.org/wiki/Datasource

> Indicator = artifact + context

both terms are to vague to define as a formula

> Indicator - an artifact, with some sort of context applied to it.

Some indicators will not be artifacts and have no context but they are still indicators, in sense of the word. E.g. what about a behavioral pattern that will be based on the information from multiple artifacts. E.g. what about an indicator based on statistical analysis?

IMO an indicator is a complex filter. That you can use an artifact in that filter does not mean it is part of the definition per se.


> TTPs - clusters of indicators that can be used to illustrate intruder or user actions

Threats Techniques and Procedures (TTP); don't try to redefine a perfectly clear definition.

Joachim Metz said...

Or with TTP do you mean:
Tactics, Techniques and Procedures (TTP) ?

Some context you might want to read:
https://msm.mitre.org/docs/STIX-Whitepaper.pdf

H. Carvey said...

Joachim,

Thanks for the comments.

So, I'm curious...did you stop reading halfway through the post? I appreciate your rather prolific insight...does it continue to the rest of the content?

Thanks again.

Joachim Metz said...

> So, I'm curious...did you stop reading halfway through the post?

Yes I did, as you indicate in:
> I do think that they are important to have, as it provides us with a common platform from which to launch discussion and discourse.

I'm launching a discussion.

> Too often, discussions get tangled and confused over terminology and definitions,
> such as the difference between a Registry key and value; the distinction may be
> subtle, even irrelevant to some, but to others, they speak to the clarity and
> precision of the discussion.

I'm trying to add clarity here and remove the confusion.

> I appreciate your rather prolific insight...does it continue to the rest of the content?

Not sure what you are hinting at here, please clarify. You start with a discussion about definitions and then switch to a discussion about an article if you were aiming to get another discussion out of the article, then consider to be more verbose about this.



Anonymous said...

...the above indicators would have been obviated if the system was configured such that the pagefile was cleared on shutdown, and the system was cleanly shut down prior to an image being acquired.

I'm curious... did you stop half way through the Volatility training? There could still be a hibernation file and its slack. Also, since the source was running Windows 7, as the original article clearly states, it's possible to find both the hibernation and page file in VSCs.

Thanks.