CNIT 152 12. Investigating Windows Systems (Part 3)

CNIT 152:
Incident
Response
12 Investigating Windows System
s

(Part 3)
Updated 11-11-21

Other Artifacts of Interactive
Sessions

Interactive Sessions
• For the purposes of this section, include
s

• Login with user at the consol
e

• Remote Desktop session
s

• Screen sharing (via VNC or similar software)

LNK Files
• Shortcuts to
fi
le
s

• Serve as extensions to Windows Explore
r

• Windows automatically creates LNKs for every
opened
fi
l
e

• To populate "Recent Files
"

• Separate list in each user pro
fi
le

Timeline
• LNK
fi
les can show just what a user di
d

• Which
fi
les were accessed, and in what order

Jump Lists
• Right-click a
taskbar icon to
show recently used
item
s

• Word shows recent
Word
fi
les, etc.

Where Jump Lists are
Stored
• Not human-readable, you need tool
s

• JumpLister for Windows 7-
8

• JLECmd for Windows 10 (link Ch 12t)

The Recycle Bin
• Located in $Recycle.Bi
n

• Contains
fi
les deleted from the hard dis
k

• But not if deleted from removable drive
s

• Or from the Command Promp
t

• Or with Shift+Delete

Ri
fi
uti2 Tool
• Link Ch 12u

Types of Memory
• Physical (RAM chips
)

• Page
fi
l
e

• Data moved out of RAM onto the hard dis
k

• %SYSTEMDRIVE%page
fi
le.sys

Crash Dumps
• Can be produced when Windows crashes with
the "Blue-Screen of Death
"

• Three level
s

• Kernel Memory Dump (default
)

• Small Memory Dump (Minidump
)

• Complete Memory Dump

Crash Dump Storage
• %LOCALAPPDATA%Crashdump
s

• Complete Memory Dump is most useful typ
e

• But it's rarely turned on

Hibernation Files
• Saves the full contents of RAM on dis
k

• %SYSTEMDRIVE%Hiber
fi
l.sy
s

• It's compressed and includes metadat
a

• Link Ch 8
t

• Volatility can parse it

Running Processes
• Volatility can recover

Handles
• Used to access
fi
les, devices, and more from
softwar
e

• Can help when analyzing malwar
e

• Mutants or Mutexes are used for inter-process
communicatio
n

• To lock a resource so no other process
changes it while it's in us
e

• Used by malware to prevent re-infection

Handles for Zeus
• Mutant _AVIRA_2108 is a
fi
ngerprint of Zeu
s

• Link Ch 12u

Memory Sections
• Each process has a virtual address spac
e

• Including RAM and some disk space in the
page
fi
l
e

• The OS swaps data in and out of physical
memor
y

• Virtual Address Descriptor (VAD) tre
e

• A kernel data structure that shows how
memory is used by each process (link Ch 12v)

Detecting Malicious DLLs
• Check for valid digital signature
s

• Known-good or -bad hash value
s

• Evidence of process-tampering attack
s

• Malware loading a DLL surreptitiously or
running code in memory

Other Memory Artifacts
• Network connection
s

• Loaded driver
s

• Runs in kernel, with elevated privilege
s

• Console command histor
y

• Strings in memor
y

• Credentials

Page
fi
le Analysis
• Has no intrinsic structur
e

• Can search for string
s

• Be careful: antivirus and host-based intrusion
detection systems leave signatures in the
page
fi
l
e

• Suspicious IP addresses, domain names,
and malware
fi
lename
s

• Windows can clear the page
fi
le on shutdown,
but this is not its default setting

Analyzing Common
 
In-Memory Attacks
• Process injectio
n

• Hooking

Process Injection
• A malicious injecting process causes a
legitimate process (injected) to load and
execute malicious cod
e

• In-memory attac
k

• Disk
fi
les do not chang
e

• Injected process has no evidence indicating
which process was responsible for the injection

Methods of Process
Injection
• Use Windows APIs (requires Administrator or
SYSTEM privileges
)

• Force target process to load a malicious DLL
from dis
k

• Directly write malicious code to target
process's memory and invoke a remote thread
to execute it

Process Replacement
• Malware launches a legitimate executable in a
suspended stat
e

• Then overwrite process memory with malicious
cod
e

• Unsuspend it to execute

Detecting Malicious
Injection
• Memory sections with Execute, Read and Write
permission
s

• Processes that don't match corresponding disk
fi
le
s

• Links Ch 12w, 12x

Sysmon Detecting Injection
https://letsdefend.io/blog/process-injection-detection-with-sysmon/

Finding Persistence
Mechanisms
• The injecting process needs a persistence
mechanism to survive reboot
s

• So it may be found i
n

• Auto-run keys, DLL load-order hijacking, etc.

Hooking
• Allows code within running processes to
intercept, modify, and view events such as
function calls and data they retur
n

• Windows provides many API mechanisms to do
thi
s

• Used by legitimate program
s

• Antivirus, host-based intrusion detection
systems, application inventory software

Malicious Hooking
• Rootkits use hooking to hide
fi
les, processes,
registry keys, or network connection
s

• Keyloggers may use SetWindowsHookEx to
cause a malicious DLL function to be called
whenever a keyboard event occur
s

• Or use GetAsyncKeyState to constantly check
the up/down state of keys

Types of Hooks
• Manipulate a process's Import Address Tabl
e

• So it calls malicious functions instead of
legitimate system function
s

• Hook kernel structures such as the Interrupt
Descriptor Table (IDT) and System Service
Dispatch Table (SSDT
)

• Prevented on modern Windows systems by
Kernel Patch Protection (KPP)

Zeus Hook
• The next slide shows the output of
"apihooks" (a Volatility plugin
)

• On a system infected with Zeu
s

• Shows an inline hook to the HttpSendRequestA
function imported from WinInet.dll within the
process space of lsass.exe

Memory Analysis Tools
• Acquisition tool
s

• FTK Image
r

• DumpI
t

• Memoryz
e

• Velocirapto
r

• Analysis tool
s

• Memoryz
e

• Volatility

Alternative Persistence
Mechanisms

Alternative Persistence
Mechanisms
• Startup folder
s

• Recurring task
s

• System binary modi
fi
catio
n

• The sticky keys attac
k

• DLL load-order hijacking

Startup Folders
• Any program or shortcut in this folder is
launche
d

• On startup or login

Recurring Tasks
• Use "at" or "schtasks" command
s

• To make a task that recurs at regular times or
days of the wee
k

• Future and recurring scheduled tasks persist as
.job
fi
les in %SYSTEMROOT%Tasks

System Binary Modi
fi
cation
• Modify existing Windows binar
y

• Typically one automatically loaded on bootup
or logi
n

• Add malicious cod
e

• Time-stom
p

• Will change MD5 hash and break signature, but
not all legitimate binaries are signed

Careful Modi
fi
cations
• Changes that cause Windows to crash or impair
user experience will limit the attacker's ability to
persis
t

• Attackers are more likely to replace noncritical
executables or libraries

Defenses
• Windows File Protection in older versions
of Windows (XP, 2000
)

• Easily bypassed by a local Administrato
r

• Replaced by Windows Resource Protection
(WRP) in Windows Vista and late
r

• Requires TrustedInstaller permissions to
alter WFP-governed resource
s

• More resistant to tampering

The Sticky Keys Attack
• Targets sethc.ex
e

• A
fi
le that provides accessibility feature
s

• Replace sethc.exe with cmd.ex
e

• Press Shift key
fi
ve times before logo
n

• A command shell opens with SYSTEM
privilege
s

• Even works during a Remote Desktop
Protocol session

• No longer works on Vista and later version
s

• But there's another way to get the same result
The Sticky Keys Attack

DLL Load-Order Hijacking
• DLLs are loaded when a program launche
s

• But DLLs might be in many different folder
s

• "KnownDLLs" registry key lists known system
DLLs and ensures that they are always loaded
from %systemroot%System32

DLL Load-Order Hijacking
Works When:
• ntshrui.dll is loaded by Windows Explorer and is
vulnerabl
e

• A malicious ntshrui.dll in %systemroot% will
launch when Explorer does

CNIT 152 12. Investigating Windows Systems (Part 3)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CNIT 152 12. Investigating Windows Systems (Part 3)

Similar to CNIT 152 12. Investigating Windows Systems (Part 3) (20)

More from Sam Bowne

More from Sam Bowne (20)

Recently uploaded

Recently uploaded (20)

CNIT 152 12. Investigating Windows Systems (Part 3)