Anomalies Detection: Windows OS - Part 1

Anomalies Detection : Windows
Operating System – Part 1
Rhydham Joshi
M.S. in Software Engineering, San Jose State University
Phone : (+1) 408-987-1991 | Email : rhydham.joshi@yahoo.com
Blog : malwareforensics1.blogspot.com | Linkedin : www.linkedin.com/in/rhydhamjoshi

Contents:
• Rogue Processes identification
• Common methods to identify malwares hidden in
plain sight:
• Common methods to identify Code Injection/
Rootkits
• Windows Sysinternals: Process Explorer
• Windows Sysinternals: Sigcheck
• AnalyzePESig
• Mandiant Redline
• Unknown Services
• Background about Services hosted in Windows OS
• Steps for investigating unknown services
• SC Command
• Common Services & Normal Behavior
• Code Injection and Rootkit Behavior
• Rootkits and Anomalies
• Kaspersky TDSSKiller
• GMER Rootkit
• RootkitRevealer
• Unusual OS artifacts
• Prefetch files
• Shimcache files
• UserAssist Utility
• Schtasks.exe
• PSExec
• PsLoggedOn
• ProcDump
• Wmic
• MountPoints2 Forensics
• Suspicious Network activity
• Evidence of Persistence
• Autoruns
• References

Rogue Processes
Identification

Rogue Processes Identification
• Malwares generally uses one of two strategies for obscuring their malicious processes.
1) Hide in plain sight and attempt to appear legitimate
2) Use code injection and/or rootkit methods to hide from the view of normal analysis tools.
Common methods to identify malwares hidden in plain sight:
• Legitimate process names but originated from the wrong directory path or wrong parent process
(process IDs, process group IDs and session IDs).
• Misspellings like scvhost.exe or lssass.exe
• Unusual command-line arguments, embedded arguments to execute malicious script.
• Suspicious DLLs executed through rundll32.exe, implemented as services with svchost.exe, or injected
into legitimate processes.
• Legitimate signed code can help reveal suspicious executables but this cant be trusted completely
since few malwares are signed.
• Sometimes some malware steals legitimate certificate or could claim to be signed even by legitimate
companies like Microsoft Corp.. Checking the process, parameters, location etc. could help in dealing
with such malwares.

Common methods to identify Code Injection/ Rootkits
• Behavioral approach to malware detection could identify them.
• For live response memory analysis, Mandiant’s Redline will check on-disk signatures for running
code.
• For offline analysis, Didier Stevens’ Authenticode Tools or Windows Sysinternals sigcheck.exe
(Sigcheck –u –vr –e –s * ) provides significant information.
• Sysinternals tool Process Explorer: By Checking the Hash value of each and every process with
VirusTotal(Antivirus as a Service) or searching online could help in narrowing down investigation.
• Memory Analysis using Volatility Framework provides better results in analyzing and identifying
rootkits.
Rogue Processes Identification

Windows Sysinternals: Process Explorer
• Process Explorer shows information about running processes, handles and DLLs processes have
opened or loaded.
• The Process Explorer display consists of two sub-windows:
• The top window always shows a list of the currently active processes, including the names of
their owning accounts,
• The bottom window depends on the mode that Process Explorer is in:
• If Process Explorer is in handle mode(Options -> View -> Lower Pane View -> Handle), we
can see the handles that the process selected in the top window has opened.
• If Process Explorer is in DLL mode we can see DLLs and memory-mapped files that the
process has loaded.
• Process Explorer also has a powerful search capability that will quickly show which
processes have particular handles opened or DLLs loaded.
• The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or
handle leaks, and provide insight into the way Windows and applications work.
Rogue Processes Identification: Tools

Windows Sysinternals: Process Explorer
Note: See Windows Forensics using Sysinternals post at my blog: http://malwareforensics1.blogspot.com to learn more
about Sysinternals tools and forensics

Windows Sysinternals: Process Explorer Strings : Finding HTTP, HTTPS etc
corresponding to links to malicious
domains
Verified: Verified describes that process is
verified by Akamai Technologies
Built time: Describes when the file was
built. Recent built time may be suspicious
if we can
determine from when probable infection
happens.
Path: process originated from temp, local
folder can be malicious
Command line: Arguments process puts to
CMD
VirusTotal : Describes no infection
Autostart Location: Describes how process
is triggered.
Note: See Windows Forensics using Sysinternals post at my blog: http://malwareforensics1.blogspot.com to learn more
about Sysinternals tools and forensics

Windows Sysinternals: Sigcheck
Sigcheck is a command-line utility that shows file version number, timestamp information, and
digital signature details, including certificate chains. It also includes an option to check a file’s
status on VirusTotal.
Commonly used options:
C:>sigcheck –u –vr –e –s *
-U -> Submit only unsigned process hash
-VR -> Use VirusTotal
-E -> Executables
-S -> Continously check the processes and go on checking its signatures
* -> .exe available throughout the system
Sigcheck upon detection of infection, opens the browser page to describe entire statistics of
that particular file.
Note: AnalyzePESig is similar to Sigcheck but have few more options. Check
http://blog.didierstevens.com/programs/authenticode-tools/ for more information

Note: Most of the field are self-explanatory. For more information visit:
http://blog.didierstevens.com/programs/authenticode-tools/
AnalyzePESig :

Mandiant Redline:
• Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to
find signs of malicious activity through memory and file analysis, and the development of a
threat assessment profile. With Redline, users can:
• Thoroughly audit and collect all running processes and drivers from memory, file system
metadata, registry data, event logs, network information, services, tasks, and web history.
• Analyze and view imported audit data, including narrowing and filtering results around a
given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and
TimeCrunch™ features.
• Streamline memory analysis with a proven workflow for analyzing malware based on
relative priority.
• Identify processes more likely worth investigating based on the Redline Malware Risk Index
(MRI) score.
• Perform Indicator of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline
Portable Agent is automatically configured to gather the data required to perform the IOC
analysis and an IOC hit result review.

Simple, easy to use GUI for Mandiant RedLine tool. It provides 3 features, Standard, Comprehensive and IOC search collector
to collect the type of data we want. Ran the script at victim’s system, script will collect the data, take the data back to the
system and then analyze memory file using Analyze Data option

Unknown Services
Background about Services hosted in Windows OS:
• Windows services runs applications/services like system boot services including DHCP Client, Windows Event
Log, Server, and Workstation services etc in the background without user interaction.
• Services can be implemented as standalone executables or loaded as DLLs.
• To conserve resources, many service DLLs are grouped together and run under a smaller set of Windows generic
service host process svchost.exe instances.
• Service and device driver configurations, are stored in the registry under
HKLMSYSTEMCurrentControlSetServices.
• It has parameters for each service like service name, display name, path to the service’s executable image file,
the start type, required privileges, dependencies, and more.
• Each service has a start type configured to start at boot, by manual intervention, or on trigger events such as
obtaining an IP address or hardware device connections. Both Developers and Malware authors takes benefit of
it.
Steps for investigating unknown services:
• For offline analysis, investigate service configurations within the registry.
• On live or remote systems, use the built-in “sc” command to query installed services using parameters like
“queryex”, “qc”, “qprivs”, and “qtriggerinfo” to get detailed information on service configurations.
• Analysis of services can help in detecting anomalies.

SC Command:
• SC is a command line program used for communicating with the
Service Control Manager and services.
• The SC.exe program provides capabilities similar to those provided
in Services in the Control Panel.
• SC.exe retrieves and sets control information about services.
• SC.exe can be used for testing and debugging service programs.
• Service properties stored in the registry can be set to control how
service applications are started at boot time and can be run as
background processes.
• SC.exe parameters can be used to configure a specific service, retrieve
the current status of a service, and stop and start a service.
Unknown Services : Tools

Common Services and
Normal Behavior

Common Services and
Normal Behavior
Courtesy: https://digital-
forensics.sans.org/media/poster_20
14_find_evil.pdf

Anomaly Detection and
Rootkit Behavior

Rootkits and Anomalies:
• Code injection and rootkits provide stealth to malware by hiding it from normal analysis techniques.
• A rootkit is a broad term for describing ways of subverting the operating system with the intent to hide
activities and data. Rootkits are relatively rare due to the skill required to create a reliable exploit across
the various OS versions.
• Code injection is almost never legitimate, with the one exception of software debugging. It provide an
effective way to hide code without relying upon low-level programming knowledge, thus it is popular
among malware authors.
• few rootkit detection tools like GMER, TDSSKiller and Rootkit Revealer, compares the state of the
system as determined by the OS versus the state determined by the tool. When there are differences, it
is often an indication of rootkit behavior.
• Memory analysis tools like Mandiant Redline and Volatility provide robust features for finding code
injection and rootkit behaviors. It can locate suspicious function hooks, which might be redirecting to
malicious code.
Anomaly Detection and Rootkit Behavior

Kaspersky TDSSKiller:
• TDSSKiller is a FREE handy tool that can
quickly detect and remove both known and
unknown rootkits, which are programs that
can hide the presence of malware in your
system.
• A rootkit for Windows systems is a program
that penetrates into the system and
intercepts the system functions (Windows
API).
• It can effectively hide its presence by
intercepting and modifying low-level API
functions.
• Moreover it can hide the presence of
particular processes, folders, files and
registry keys. Some rootkits install its own
drivers and services in the system (they also
remain “invisible”).
Anomaly Detection and Rootkit Behavior: Tools

GMER Rootkit:
• GMER is an application that
detects and removes rootkits .
• It scans for:
• hidden processes
• hidden threads
• hidden modules
• hidden services
• hidden files
• hidden disk sectors (MBR)
• hidden Alternate Data Streams
• hidden registry keys
• drivers hooking SSDT
• drivers hooking IDT
• drivers hooking IRP calls
• inline hooks

RootkitRevealer:
• RootkitRevealer is an advanced rootkit detection utility.
• Its output lists Registry and file system API discrepancies that may indicate the presence of a
user-mode or kernel-mode rootkit.
• RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish and
HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't
attempt to hide their files or registry keys).
• Since persistent rootkits work by changing API results so that a system view using APIs differs
from the actual view in storage, RootkitRevealer compares the results of a system scan at the
highest level with that at the lowest level. The highest level is the Windows API and the lowest
level is the raw contents of a file system volume or Registry hive.
• Further analysis of particular registry entry could help in detecting rootkits.

• Compromising a system doesn’t require malware every time. Exploiting vulnerability and misusing
certain legitimate tools could also lead to exploitation.
• Looking for unusual OS-based artifacts that would not exist on a typical workstation in the organization
could assist in determining exploit.
• Investigation on prefetch, shimcache, userassist registry keys and jump lists could help in exploration.
• Odd behavior of tools being run outside the scope of non-technical or normal user activity:
• cmd.exe execution – Provides command-line access
• rar.exe execution or presence of .rar files – Difficult to crack archiving tool for data
exfiltration
• schtasks.exe execution – Used for privilege escalation and persistence
• Existence of Sysinternals tools such as PsExec, PsLoggedOn, and ProcDump – Provide remote
execution, interactive logon enumeration, and dumping of credentials within lsass.exe address
space respectively
• wmic.exe, powershell.exe, or winrm.vbs execution – Used for remote execution
• net.exe execution – Used for mapping drives for lateral movement and enumerating groups like
“Domain Admins”
• reg.exe or sc.exe execution – Add persistence such as Run keys or services
• MountPoints2 registry key – Records shares on remote systems such C$, Temp$, etc.
• .job files in C:WindowsTasks – Related to odd application executions
Unusual OS Artifacts

Prefetch files:
• Windows creates a prefetch file when an application is run from a particular location for the very first
time. This is used to help speed up the loading of applications.
• Evidence of program execution can be a valuable resource to determine any potential wrongdoing.
• If the program has since been deleted, a prefetch file may still exist on the system to provide evidence
of execution.
• It also helps assist examiners in determining when a malicious program was run.
• Combining this with some basic timeline analysis, investigators can identify any additional malicious
files that were downloaded or created on the system, and help determine the root cause of an incident.
• Prefetch files are all named in a common format where the name of the application is listed, then an
eight character hash of the location where the application was run, followed by the .PF extension.
Original path can be determined by evaluating hashes using prefetch file scripts available online (
Forensicswiki & Hexacorn Blog).
• Prefetch files contain details on the number of times the application has been run, volume details, as
well as timestamp information detailing when the application was first and last run giving investigators
several additional timestamps to help build a timeline of events on a system
Courtesy: http://www.magnetforensics.com/forensic-analysis-of-prefetch-files-in-windows/

Shimcache files:
• Microsoft created the ShimCache, or “AppCompatCache” to identify application compatibility issues.
• The cache data tracks file path, size, last modified time, and last “execution” time (depending on OS).
• If a file is executed with Windows “createprocess,” it is logged in the ShimCache. While a file’s presence
in the ShimCache does not 100% prove file execution, it does show Windows interacted with the file.
• The following keys contain ShimCache data:
“HKLMSYSTEMCurrentControlSetControlSession ManagerAppCompatibilityAppCompatCache (XP)
& “HKLMSYSTEMCurrentControlSetControlSession ManagerAppCompatCacheAppCompatCache”
(Non-XP).
• Shimcache data helps in identifying which systems an attacker may have executed malware on and can
also provide information about the time that it may have occurred.
• Shimcache Parser automatically determines the format of the cache data and outputs its contents. The
tool supports a number of inputs including system registry hives, raw binary, or the current system’s
registry.
• For more information visit : https://www.mandiant.com/blog/execute/

UserAssist Utility:
• UserAssist is a method used to populate a user’s start menu with frequently used applications. This is
achieved by maintaining a count of application use in each users NTUSER.DAT registry file.Windows
Explorer maintains this information in the UserAssist registry entries.
• This key is suppose to contain information about programs and
shortcuts accessed by the Windows GUI, including execution count and the date of last execution.
• Registry Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
Following information can be captured from UserAssist Utility:
• Frequency of program execution -- per user.
• Last time a program was launched.
• From whence items were being launched most often.
• System date/time changes.
• Evidence of programs after deletion/uninstall.
• How long a user has interacted with a given program (Win7).
• Evidence of absence. (i.e. "items were in a specific location at one time." e.g. "My Documents" folder is
empty...but was launched 224 times)

UserAssist Utility:
Note: For more information about UserAssist keys, please visit following URLs.
http://www.4n6k.com/2013/05/userassist-forensics-timelines.html
http://blog.didierstevens.com/programs/userassist/
http://forensicartifacts.com/2010/07/userassist/

Schtasks.exe:
• Enables an administrator to create, delete,
query, change, run, and end scheduled
tasks on a local or remote computer.
Running Schtasks.exe without arguments
displays the status and next run time for
each registered task.
• Understanding the Scheduler tasks
becomes very handy in
quickly locating malware.
• Many malware can be immediately
located just by checking scheduler task.
• GUI version is also available which
provides better idea.
Unusual OS Artifacts: Tools

PSExec:
• PsExec is a light-weight telnet-replacement that
lets you execute processes on other systems,
complete with full interactivity for console
applications, without having to manually install
client software.
• PsExec's most powerful uses include launching
interactive command-prompts on remote systems
and remote-enabling tools like IpConfig that
otherwise do not have the ability to show
information about remote systems.
• Availability of such tools may arise suspicion that
system would be executing some process on other
remote systems.
• Note for more examples please visit :
https://technet.microsoft.com/en-
us/sysinternals/bb897553.aspx

PsLoggedOn:
• PsLoggedOn is an applet that displays both the locally logged on users and users logged on via
resources for either the local computer, or a remote one.
• If user name is specified instead of a computer, PsLoggedOn searches the computers in the
network neighborhood and tells whether the user is currently logged on.
• PsLoggedOn's definition of a locally logged on user is one that has their profile loaded into the
Registry, so PsLoggedOn determines who is logged on by scanning the keys under the
HKEY_USERS key. For each key that has a name that is a user SID (security
Identifier), PsLoggedOn looks up the corresponding user name and displays it. To determine who
is logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API.
• Note thatPsLoggedOn will show you as logged on via resource share to remote computers that
you query because a logon is required for PsLoggedOn to access the Registry of a remote system.

ProcDump
• ProcDump is a command-line utility whose primary
purpose is monitoring an application for CPU spikes
and generating crash dumps during a spike that an
administrator or developer can use to determine the
cause of the spike.
• ProcDump also includes hung window monitoring
(using the same definition of a window hang that
Windows and Task Manager use), unhandled
exception monitoring and can generate dumps based
on the values of system performance counters.
• It also can serve as a general process dump utility
that you can embed in other scripts. Malwares could
use this utility in dumping a process and then
extracting strings/usernames/passwords etc from
that.
• Note : For more information about ProcDump and its
usage navigate to : https://technet.microsoft.com/en-
us/sysinternals/dd996900.aspx

Wmic:
• Windows Management Instrumentation (WMI) consists of a set of extensions to the
Windows Driver Model that provides an operating system interface through which
instrumented components provide information and notification.
• The WMIC environment allows interactive queries or scripting.
• It is interoperable with existing shell and utility commands and can be extended by
scripts and other administration-oriented applications.
• WMIC is included with Windows XP and later operating systems. However, since WMIC
works locally and remotely, it is possible to run WMIC commands against Windows 2000
systems remotely so long as the particular action is supported by WMI on the target
machine.
• Two modes of use for WMIC – Interactive or Scripting. In Interactive mode, WMIC
provides and ‘environment’ for scripting. The environment allows you to enter
commands and view the results in the immediate display – just like the standard
command line interface you are accustomed to. The Interactive environment also allows
the use of the discoverable help which is context sensitive.

Wmic process:

MountPoints2 Forensics:
• most forensic examiners have investigated the USB device history of a computer. When examining USBs, it’s just as important to identify
the user who connected the device, as it is to analyze the data that may have been transferred to or from the system.
5 Key Artifacts That Need to be Found When Investigating USB Device History:
• The USBSTOR located in the SYSTEM hive (SYSTEMCurrentControlSetEnumUSBSTOR) USBSTOR contains details on the vendor and
brand of USB device connected, along with the serial number of the device that can be used to match the mounted drive letter, user, and
the first and last connected times of the device.
• The MountedDevices key (SYSTEMMountedDevices) Allows investigators to match the serial number to a given drive letter or volume that
was mounted when the USB device was inserted. It’s possible that the investigator won’t be able to identify the drive letter if several USB
devices have been added, since the mapped drive letter only shows the serial number for the most recently mounted device for each letter
assigned.
• The MountPoints2 key found in a user’s NTUSER.dat hive
(NTUSER.datSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2) This information will reveal which user was logged
in and active when the USB device was connected. MountPoints2 lists all of the device GUIDs that a particular user connected, so you might
need to search through each NTUSER.dat hive on the system to identify which user connected a particular device.
• The USB key in the SYSTEM hive (SYSTEMCurrentControlSetEnumUSB) This key provides investigators with vendor and product ID for a
given device, but also provides the last time the USB device was connected to the system. Using the last write time for the key of the device
serial number, investigators can identify the last time it was connected.
• The setupapi log (ROOTWindowsinfsetupapi.dev.log for Windows Vista/7/8)(ROOTWindowssetupapi.log for Windows
XP) Searching for the serial number in this file will provide investigators with information on when the device was first connected to the
system in local time. Examiners must exercise caution, as unlike the other timestamps mentioned in this article which are stored in UTC, the
setupapi.log stores its data in the system’s local time and must be converted to UTC to correctly match any timeline analysis being
performed by the investigator.
• Note: For more information, please visit : http://www.magnetforensics.com/how-to-analyze-usb-device-history-in-windows/

• Many core processes in Windows utilize the network, including svchost.exe, lsass.exe, and even the
System process.
• With memory analysis, one can parse through existing and even residual connections and sockets
established by the system.
• Sniffing the traffic using wireshark, tcpdump, mitmdump etc and analyzing that to realize connection to
suspicious domains, etc could help in determine the process associated with that particular network
activity and thus we can identify malware.
Common approach to malware detection:
• Any process communicating over port 80, 443, or 8080 that is not a
browser
• Any browser not communicating over port 80, 443, or 8080
• Connections to unexplained internal or external IP addresses.
For example, a process have a TCP connection to a system in Russia?
• Web requests directly to an IP address rather than a domain name
• RDP connections (port 3389), particularly if originating from odd IP addresses.
External RDP connections are typically routed through a VPN concentrator.
• DNS requests for unusual domain names
Note: For more information, please look at “Forensics using Wireshark” and other relevant articles at my
blog: http://malwareforensics1.blogspot.com
Suspicious Network Activity

• Malware commonly accomplishes persistence using a variety of techniques.
• Malwares escalate privilege and with elevated rights, they often create services to automatically load
malware or replace an existing service with a new malicious executable.
• The next most common malware persistence mechanism is using the registry auto-start mechanisms to
load malware at boot or during user logon.
• Some of the latest techniques include DLL Search Order Hijacking and using local group policy to run
scripts at logon/logoff.
• Finally, malware can also be installed as a Microsoft Office Add-in. When MS Word starts, the malware is
executed.
• Scheduled Tasks
• Auto-Start Registry Keys
• Service Replacement
• DLL Search Order Hijacking
• Service Creation
• Trojaned Legitimate System Libraries
• More Advanced – PowerShell background job, Local Group Policy, MS Office Add-In, or BIOS Flashing
Evidence of Persistence:

Sysinternals: Autoruns
• This utility, which has the most comprehensive knowledge of auto-starting locations of any
startup monitor, shows what programs are configured to run during system bootup or login, and
when built-in Windows applications like Internet Explorer, Explorer and media players start.
Autoruns goes way beyond other autostart utilities.
• These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry
keys.
• Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon
notifications, auto-start services, and much more.
• Autoruns Hide Signed Microsoft Entries option helps to zoom in on third-party auto-starting
images that have been added to your system and it has support for looking at the auto-starting
images configured for other accounts configured on a system.
• Autorunsc is a command-line equivalent that can output in CSV format
Evidence of Persistence: Tools

Sysinternals: Autoruns
• Scan Options scans for unknown images, code signatures, at submits unknown images to
VirusTotal.
• Hide Empty Locations, Microsoft Entries and clean entries helps in narrowing
down search.
• Autoruns displays autoruns entries for programs and “Everything” displays
all the autostart entries.
• Here, VirusTotal column displays infection value by many Anti-Virus engines
for that particular process.
Evidence of Persistence: Tools

References:
• https://digital-forensics.sans.org/media/poster_2014_find_evil.pdf
• https://technet.microsoft.com/en-us/sysinternals/bb896653.asp
• https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx
• http://blog.didierstevens.com/programs/authenticode-tools/
• https://www.mandiant.com/resources/download/redline
• http://www.gmer.net/
• http://usa.kaspersky.com/downloads/TDSSKiller
• http://www.forensicswiki.org/wiki/Prefetch
• http://www.magnetforensics.com/forensic-analysis-of-prefetch-files-in-windows/
• https://www.mandiant.com/blog/execute/
• http://blog.didierstevens.com/programs/userassist/
• https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
• http://en.wikipedia.org/wiki/Windows_Management_Instrumentation
• http://www.forensicmag.com/articles/2012/06/windows-7-registry-forensics-part-5
• http://www.magnetforensics.com/how-to-analyze-usb-device-history-in-windows/

Anomalies Detection: Windows OS - Part 1

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to Anomalies Detection: Windows OS - Part 1

Similar to Anomalies Detection: Windows OS - Part 1 (20)

Recently uploaded

Recently uploaded (20)

Anomalies Detection: Windows OS - Part 1