The document emphasizes the critical importance of logs in cybersecurity, particularly in detecting and analyzing malware incidents on Windows systems. The author, an expert in malware and log management, provides insights into enabling and configuring logs to effectively track malicious activities. It also outlines practical steps for auditing and monitoring key system activities to improve security postures against potential threats.

1. Logs, Logs, Logs
What you need to know
to catch a thief
Jason Freddy
MalwareArchaeology.com

2. Who am I
• Blue Team Defender Ninja, Logoholic, Malware
Archaeologist
• I love logs – they tell us Who, What, Where, When and
hopefully How
• Author of the “Windows Logging Cheat Sheet”
• @HackerHurricane also my Blog
• Inventor of the Malware Management Framework

3. Why are logs important?
• Have you ever had an Incident and called a
consultancy?
• What is one of the first, if not the first thing
they do?
• It is referenced in every DBIR report
• LOGS!
• Details of what happened, where, how and by
whom

4. Yes, Logs ARE SEXY!
• SEXY - because logs tell you what a particular malware did or the
malwarian (aka Bad Actor) did on your system(s)
• SEXY – Because they are the one way that you can get the details
you need to know what happened
• SEXY – Because this preso is going to show you how for Windows
systems
• SEXY – Because if Target, Neiman Marcus, Michael’s, Home Depot…
did this… I wouldn’t have a presentation
• NOT SEXY – Because most logs are not enabled or configured
properly
• And because….

5. Malware and Logs
• I love malware and malware discovery
• But once I find an infected system, what
happened before I found it?
• Was there more than one system involved?
• What did the Malwarian do?
• What behavior did the system or systems have
after the initial infection?
• Logs are the perfect partner to malware! If you
do it right you could have detected all this…

6. You’re Next
97,000 76 Mil + 8 Mil
1000+ Businesses395 Stores
4.5 Million
25,000
4.9 Million
4.03 Million
105k trans
40 Million
40+70 Million
$148 Mil
33 locations
650k - 2010
??????
76,000
670,000
1900 locations
145 Million
20,000
3 Million
35,000
60,000 alerts
990,000
56 Mil
550,000
TBD
Citigroup, E*Trade Financial Corp.,
Regions Financial Crop, HSBC
Holdings and ADP
??????

7. So why listen to me?
• I have been there
• In the worst way
• Found the malware quickly
• Discovered it 10 months before the Kaspersky report
• We needed to know more… Who, What, Where, When and
How
• Found logs were not fully enabled or configured and
couldn’t get the data we needed
• Once the Logs were enabled and configured, we saw all
kinds of cool stuff, showed the How that we ALL NEED
• After CryptoLocker I created the definitive guide:
– “The Windows Logging Cheat Sheet”

8. Get this document!
• www.MalwareArchaeology.comlogs

9. So what can you do with logs?

10. You could catch CryptoWall

11. You can catch Malwarians

12. So what can we do with logs?
• More than you would have ever guessed
• Not only detect Target, Neiman Marcus, Michael’s,
Home Depot, Anthem, etc…
• But also government sponsored malware like Casper,
Regin, Cleaver, Stuxnet, Duqu, Flamer, etc.
• Yes, even the really bad stuff, well good stuff to me ;-)
• IF… you know what to look for
• And why this talk… so you can learn WHAT to look for

13. Auditing

14. Audit the Registry
• Run Keys HKLM & HKCU
• Services Some keys are noisy – disable
• Use Malware Management to guide you
• Keys that are not noisy. You will know once
you enable auditing and see tons of 4663
events
• Tune them to be quiet…
• Which means… Remove the normal

15. Audit Key Directories
• C:Perflogs
• C:UsersxyxAppDataLocal
• C:UsersxyxAppDataLocalLow
• C:UsersxyxAppDataRoaming
• C:Program Files
• C:Program Files (x86)
• C:ProgramData
• C:Windows
• C:WindowsSystem
• C:WindowsSystem32
• C:WindowsSystem32wbem
• Every other Windows sub-dir that is small

16. Enable File Creation Auditing
• There are key locations
that everyone should…
MUST watch
• C:Windows
• C:System32
• ..System32WBEM
• Any dir with .EXE
• Just CREATED FILES

17. Audit Key Directories

18. File Auditing – New Files - 4663

19. New File detected
• New Files Created
• Bladelogic.exe
• Event ID:
– 4663

20. CC Data file created
• New Files Created
• Bladelogic.exe
• Event ID:
– 4663

21. Odd account used
• Logon – Odd user?
– Best1_user
• Event ID:
– 4624

22. The DETAILS

23. CMD.Exe executed
• New Process - Command Shell – YAY
• Event ID:
– 4688

24. CMD.Exe executed
• Knowing something suspicious executed is great
• BUT
• Knowing what was executed on the Command
Line is VITAL to catching the thieves!!!
• VITAL !!!! #1 Goal for you in 2015

25. Get the Command Line!
• It’s nice to know cmd.exe executed, but we REALLY want to see what was
executed. It would be better if we could see what was executed with svchost.exe!
• Again, Windows SUCKS by default, even Windows 8.1 and 2012 R2
– I do think this is the K3wlest NEW Logging feature – Worth the upgrade!
• Now available for Win 7 and Server 2008 and later – Needs patch kb3004375
• Set GPO – Must have 2012 DC
– Administrative TemplatesSystemAudit Process Creation
– "Include command line in process creation events“
– http://technet.microsoft.com/en-us/library/dn535776.aspx
• Registry Key
– HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAudit
– ProcessCreationIncludeCmdLine_Enabled DWORD - 1

26. Command Line GOLD

27. Catch them trying to share

28. Not just CMD.EXE but the hack details

29. Not just CMD.EXE but the hack details

30. Another example

31. So what did we learn from these?
• You MUST enable Command Line logging
• Monitor commands:
– Cmd.exe Command Shell
– Netstat.exe Network Connections
– Cscript Executes VB/C Script
– Pushd Sets Directory for Popd
– Popd Changes directory back
– WMIC Execute WMI commands
– Quser.exe Queries the current user
– Reg.exe Query and edit the registry
– SC.exe Start and Stop Services
– Regini.exe Add/Edit registry values
– Attrib.exe Change file attributes
– Cacls.exe Change file permissions
– Xcacls.exe Change file permissions
– Takeown.exe Take ownership of a file
– Auditpol.exe Sets Auditing settings (GPO too)
– Netsh Windows Firewall

32. Translate this into Event Codes
• Process Create 4688
– Of course enable CMD Line logging
• File/Registry Auditing 4663
• Service Created 4075
• Service Changed 4070
• User Login Success 4624
• Share accessed 5140
The SEXY SIX

33. The Manual way - 4688
• Look for Executables in UsersAppData
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:50 /rd:true /f:text | find /i "AppData" | find /i "New Process Name"
Gives you this:
New Process Name: C:Users<username>AppDataLocalmalware.exe
New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185g2mvideoconference.exe
New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185g2mui.exe
New Process Name: C:Users<username> AppDataLocalCitrixGoToMeeting2185g2mlauncher.exe
New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185g2mcomm.exe
New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185g2mstart.exe
New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185G2MInstaller.exe
New Process Name: C:Users<username>AppDataLocalCitrixGoToMeeting2185G2MInstaller.exe
Filter out Citrix…
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:50 /rd:true /f:text | find /i "AppData" |
find /i "New Process Name" | find /I /v “CitrixGoTo”
Gives you…
New Process Name: C:Users<username>AppDataLocalmalware.exe

34. The Manual way - 4688
Last 1000 records
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | find /i "New Process Name" | find /i
"AppData“
New Process Name: C:Users<username>AppDataLocalTempbadstuffmalware.exe
New Process Name: C:Users<username>AppDataLocalTempbadstuffmalware.exe
New Process Name: C:Users<username>AppDataLocalTempmalware_users_Temp.exe
New Process Name: C:Users<username>AppDataLocalNVIDIANvBackendPackages00007063CoProc
update.19333411.exe
New Process Name: C:Users<username>AppDataRoamingDropboxbinDropbox.exe
New Process Name: C:Users<username>AppDataRoamingDropboxbinupdateDropbox.exe
New Process Name: C:Users<username>AppDataRoamingDropboxbinDropbox.exe
New Process Name:
C:Users<username>AppDataLocalApps2.0R9P169LK.0LAEA80CTLH.BZ3dell..tion_0f612f649c4a10af
_0005.000b_17ede8fa7a4e5cacDellSystemDetect.exe
New Process Name: C:Users<username>AppDataLocalAppleApple Software UpdateSetupAdmin.exe
New Process Name: C:Users<username>AppDataLocalTempi4jdel0.exe
New Process Name:
C:Users<username>AppDataLocalTempe4j9473.tmp_dir1424306522jrebinunpack200.exe
New Process Name:
C:Users<username>AppDataLocalTempe4j9473.tmp_dir1424306522jrebinunpack200.exe

35. The Manual way - 4688
Last 1000 records
WevtUtil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | find /i "Command" | find /i ".exe" | find
/i /v "windows" | find /i /v "Program files" | find /i /v "taskeng.exe" | find /i /v "taskhost.exe" | find /i /v
"logonUI.exe" | find /i /v “consent.exe" | find /i /v "programdata" | find /i /v "nvidianvbackendpackages" | find /i /v
"dropbox" | find /i /v "/i"
Gives you…
Process Command Line: malware.exe
Process Command Line: malware.exe 25.233.45.123
Process Command Line: malware_users_Temp.exe /u:hacker /p:yurfracked
Process Command Line: wmiadap.exe /F /T /R
Process Command Line: rundll32.exe NVCPL.DLL,NvStartupRunOnFirstSessionUserAccount
Process Command Line: "C:UsersMGAppDataLocalApps2.0R9P169LK.0LAEA80CTLH.BZ3
dell..tion_0f612f649c4a10af_0005.000b_17ede8fa7a4e5cacDellSystemDetect.exe"
Process Command Line: atbroker.exe
Process Command Line: C:PROGRA~1SUMOLO~1wrapper.exe -s
C:PROGRA~1SUMOLO~1c onfigwrapper.conf
Process Command Line: winlogon.exe
Process Command Line: "C:UsersMGAppDataLocalAppleApple Software UpdateSetupAdmin.exe"
What looks bad?

36. Catch Dave’s SET
& MetaSploit too

37. Enable Powershell command line
• It’s nice to know Powershell executed, but we REALLY want to see what was executed
• Again, Windows SUCKS by default, Powershell
• Details on setting PowerShell Preference variables
– http://technet.microsoft.com/en-us/library/hh847796.aspx
• Set Execution Policy to allo .PS1 files to execute so default profile works
– powershell Set-ExecutionPolicy RemoteSigned
• Create a Default Profile for all users:
– C:WindowsSystem32WindowsPowershellv1.0
– Profile.ps1
• Add these to your default profile.ps1 file
– $LogCommandHealthEvent = $true
– $LogCommandLifecycleEvent = $true
• Splunk - Inputs.conf
– # Windows platform specific input processor
– [WinEventLog://Windows PowerShell]
– disabled = 0
• Upgrade to ver 3 or ver 4
• Investigating PowerShell Attacks (DefCon & Blackhat 2014)
– Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT
– Matt Hastings CONSULTANT, MANDIANT

38. Enable Powershell command line
• And if a bypass is used?
• EventCode 4688 with
command line to the
rescue!
• This is a MUST to Alert
on. If this occurs, you
are being hacked!

39. Log everything!
• If it is Internet facing… LOG IT!
• Hack yourself or use Pen Tests to improve your
logs – Catch them in the act!
– Purple Testing
• You should catch SQL Injection
– Failed Reads, Failed Writes
• Bruting of Apps – Get the logs to see this
behavior #1 Software Development task
• Enable Auditing for NEW Files on Internet
servers, you will be amazed how quiet this is

40. In Summary
• Malware is noisy
• We CAN detect it
• Logs can hold all types of information
– It’s NOT just for Forensics anymore
• All we have to do is:
– Enable the Logs
– Configure the Logs
– Gather the Logs
– Harvest the Logs
• Look for 6 SEXY Events
• And use the “Windows Logging Cheat Sheet”

41. Resources
• Our Website
– MalwareArchaeology.com
• The Handout – Windows Logging Cheat Sheet
– www.MalwareArchaeology/logs

42. Questions?
• You can find me at:
• @HackerHurricane
• Yes – We do consulting ;-)