This document provides information about DHCP and DNS logging. It discusses: - Microsoft DHCP logs location and format, with limitations like one week retention - ISC DHCP logs to syslog and examples of log entries - DNS logging using DNSCAP or network packet captures - Microsoft and ISC BIND DNS logging configurations and limitations It recommends searching DHCP logs by IP address or MAC address to identify devices, and DNS logs to see domains visited and querying IPs. The document also notes attackers may change IP addresses, and malware may strip version information to evade detection.

1. CNIT 152:
Incident
Response
10 Enterprise Services
Updated 10-14-2021

2. Network Infrastructure
Services:
DHCP & DNS

3. DHCP
• Dynamic Host Con
fi
guration Protoco
l
• Assigns IP addresses to devices (with subnet
mask and gateway address
)
• Can also con
fi
gure DNS server addres
s
• Uses UDP port 67 and 68

4. DHCP Lease
• An IP address may change every time the
device reboot
s
• So DHCP logs are essential to identify devices
from IP addresses

5. DHCP Searches
• Search a date for an IP addres
s
• To
fi
nd which system had that address when
an alert happene
d
• Search all dates for a MAC addres
s
• Gets all the IP addresses that system had over
time

6. Microsoft's DHCP Logs
• DHCP Server Role is part of Windows
Serve
r
• By default, located at
%windir%System32Dhc
p
• A plain comma-delimited text
fi
l
e
• ID, Date, Time, Description, IP Address,
Host Name, MAC Addres
s
• Links Ch 10a, 10b

7. Issues with Microsoft DHCP
• Note: "Time" is local time, not UT
C
• Logs only retained for one week
by default

8. ISC DHCP
• Most common on Unix/Linux system
s
• Free and open-sourc
e
• Logs go to syslog local
7
• (Facility Number 23, a way to categorize
syslog messages
)
• Link Ch 10c

9. ISC DHCP Log Example
[root@proxy log]# tail -f dhcpd.lo
g
Jan 15 13:49:59 proxy dhcpd: DHCPACK on 192.168.0.23 to
00:80:ad:01:7e:12 (programming) via eth
1
Jan 15 13:54:45 proxy dhcpd: DHCPINFORM from
192.168.0.13 via eth1: not authoritative for subnet
192.168.0.
0
• Link Ch 10d

10. ISC DHCP Log Examples
• Link Ch 10e

11. DNS
• Domain Name Syste
m
• Resolves domain names like ccsf.edu to IP
addresses like 147.144.1.212
• DNS logs show every domain visited, the IP
visiting it, and the tim
e
• Malicious servers change IP addresses
frequently

12. ISC BIND
• Berkeley Internet Name Domai
n
• Logging is off by default; turn it on in
named.conf.loca
l
• Link Ch 10f

13. Microsoft DNS
• Logging is off by
defaul
t
• Restarting DNS server
erases old log

14. Network-Level DNS Logging
• Any packet capture utility can do it, such as
tcpdum
p
• DNSCAP is specialized for DNS capturin
g
• Can log queries, and/or save a PCAP
fi
l
e
• Link Ch 10g

15. Ch 10a

16. Enterprise Management
Applications:
LANDesk &
Symantec Altiris

17. LANDesk's Software
Management Suite
• Software License Monitoring (SLM
)
• Tracks execution history of every
applicatio
n
• Date and time the application ra
n
• File attributes of the executabl
e
• User account that ran i
t
• Link Ch 10h

18. Attackers
• Attackers often copy hacking tools like
password hash dumpers to a system, run it, and
then delete i
t
• LANDesk will record this in the SLM monitor
logs (in the Registry, see next slide)
,
• Even if the binary has been deleted

19. Registry Keys
[HKEY_LOCAL_MACHINESOFTWARELANDeskMa
nagementSuite
WinClientSoftwareMonitoringMonitorLog
]
• Each application has a separate key, like
C:/Program Files/Microsoft Of
fi
ce/OFFICE11/
EXCEL.EX
E
• Subkeys contain
:
• Current Duration, Current User, First Started,
Last Duration, Last Started, Total Duration, Total
Runs

20. Parsing the Registry Keys
• SLM Browse
r
• Doesn't work on exported registry hive
s
• RegRipper doe
s
• Links Ch 10l, 10m, 10n, 10o

21. What to Look For
• Low "Total Runs
"
• Attackers often run a tool once and then
delete i
t
• Suspicious paths of executio
n
• Many tools run from the same director
y
• Anything running from the Recycle Bin

22. What to Look For
• Timeline Analysi
s
• Look for rarely used utilities running within a
short time perio
d
• Such as net.exe, net1.exe, cmd.exe, at.ex
e
• (net1 is a Microsoft product to address Y2K
)
• May indicate lateral movement

23. What to Look For
• Suspicious usernames in Current Use
r
• User accounts with a low number of
application run
s
• Accounts that shouldn't normally access this
syste
m
• Accounts with elevated privileges, such as
domain administrators

24. What to Look For
• Executables that have been delete
d
• This is normal for installer
s
• Other executables are more suspicious

25. Symantec's Altiris Client
Management Suite
• Optional component for application meterin
g
• Records execution history of applications run
on a syste
m
• Link Ch 10p, 10q

26. Altiris Application Metering
Logs
• Saved as a plain text
fi
le, including this
information
:
• Manufacturer, version, use
r
• Discovered (date of
fi
rst execution
)
• And date of last executio
n
• Run Count and Total Run Time

27. What to Look For
• Executables without version informatio
n
• Malware authors often strip this data to hide
from signature-based antiviru
s
• Identify suspicious executables by
fi
le siz
e
• Malware is usually small; < 1 M
B
• Attacker may use the same backdoor on
multiple systems, changing only the name, so
the size is the same

28. Antivirus Software:
Symantec Endpoint Protection
McAfee VirusScan
Trend Micro Of
fi
ceScan

29. General Features
• Antivirus doesn't usually detect all program
s
• Only the ones recognized as maliciou
s
• Common administrative tools won't be
detecte
d
• Also some malicious tools lack a signature,
and won't be detecte
d
• Antivirus logs are useful, but give an incomplete
picture of attacker activities

30. Antivirus Quarantine
• AV encodes malicious
fi
les & moves them to a
Quarantine folde
r
• Files can no longer execut
e
• Preserves
fi
les for incident responder
s
• Make sure antivirus is set to quarantine
fi
les,
not delete them

31. About Archives
• Attackers often use password-protected archive
fi
le
s
• Antivirus can't open them to scan the
m
• Often AV will log errors about the
m
• This is a clue about attacker activity

32. Symantec Endpoint
Protection
• Stores extensive log
fi
les, in plaintex
t
• Also generates events in the Event Log

33. Strange Timestamps
• This is Nov. 19, 2002,
8:01:34 Am UTC

34. Quarantine Files
• File extension of .vb
n
• Two VBN
fi
les for each
fi
le quarantine
d
• First: metadata about quarantined
fi
l
e
• Second: Encoded copy of original
fi
le

35. Symantec's Encoding
• Older versions: XOR with 0x5
A
• Newer versions: XOR with 0xA5 and insert
additional 5-byte sequences throughout the
encoded
fi
l
e
• Symantec's QExtract.exe can extract
fi
les from
quarantin
e
• But only on the system that quarantined the
fi
le

36. To Extract Quarantined Files
• Obtain the correct version of QExtrac
t
• Boot up a forensic image of the affected
syste
m
• OR use pyextract.py (link Ch 10r
)
• But it sometimes fails to reconstruct the
fi
le
correctly

37. McAfee VirusScan
• Link Ch 10s

38. McAfee Logs
• Stored
locally on
the host

39. Most Useful
• OnAccessScanLog.txt and
OnDemandScanLog.tx
t
• Shows
fi
les that were quarantined or delete
d
• With name of the detected threa
t
• Also creates events in Event Log

40. McAfee Quarantined Files
• .bup extension, a
fi
le with two part
s
• "Details" contains metadat
a
• File-o: The actual quarantined
fi
l
e
• XORed with 0x6A and compressed into OLE
forma
t
• To extract, use 7-Zip

41. Example of
metadata for
PWDUMP
hacking too
l
Shows
detection
time and
original
name of
fi
le

42. Trend Micro Of
fi
ceScan
• Stores logs locally on the hos
t
• Plaintext, with date, signature name, what action
the AV took, and path to
fi
le

43. Trend Quarantine Files
• Can be decoded with VSEncode.ex
e
• Create a con
fi
guration_
fi
le with the full path to
the quarantined
fi
les

44. Ch 10b

45. Web Servers:
Apache &
IIS

46. Background
• Browsers send HTTP (Hypertext Transfer
Protocol) request
s
• GE
T
• To retrieve a page, image, etc
.
• POS
T
• To send data, like username and password

47. Ports
• HTTP uses TCP port 80 (by default
)
• HTTPS uses TCP port 443 (by default)

48. Virtual Hosts
• Many websites running on the same serve
r
• If one is compromised, they may all be affected

49. Log Files on Web Servers
• Stored in plain tex
t
• Summary of each reques
t
• IP of clien
t
• URL requeste
d
• HTTP metho
d
• Result (status code)

50. Common Searches to
Perform

51. Load Balancing
• Sends requests to a pool of server
s
• Web server logs will have the IP of the load
balancer, not the clien
t
• You need to correlate load balancer logs with
Web server logs
• OR: con
fi
gure the load balancer to "pass
through" some details about the clien
t
• X-Forwarder-For header
fi
el
d
• Con
fi
gure Web server to log that header

52. Web Content
• Attackers often alter
fi
les on a Web serve
r
• Or upload
fi
les, such as webshells and
hacking tool
s
• They may be plaintext or obfuscated

53. Example of Obfuscated PHP
• Link Ch 10t

54. Apache
• Free, open-sourc
e
• Usually running on Linu
x
• Con
fi
guration
fi
le
s
• httpd.conf, apache.conf, apache2.con
f
• Some directives in .htaccess
fi
les

55. Apache Log Files
• access.log and error.log (plain text
)
• In a subdirectory of /var/lo
g
• To log X-Forwarder-For headers, add this to
con
fi
guration
fi
le
:
%{X-Forwarded-For}i

56. Content Locations
• /var/www or /var/www/html by defaul
t
• Often change
d
• Search for ServerRoot and DocumentRoot
directives in con
fi
guration
fi
les

57. Microsoft's IIS
• Internet Information Service
s
• Included in Server versions of Window
s
• Con
fi
gured through Control Pane
l
• Most relevant settings are stored in an XML
fi
le
named applicationHost.con
fi
g

58. IIS Con
fi
g File
• ID number appears at end of log directory nam
e
• %SystemDrive%
inetpublogsLogFilesW3SVC1

59. IIS Log Files
• Filenames contain date in YYMMDD forma
t
• u_ex140220.log --logs from Feb. 20, 201
4
• Advanced Logging places logs in a different
director
y
• Logs are plaintext but are encoded with UTF-8
and may include unicode characters

60. Example Log File
• Link Ch 10u
#Software: Microsoft Internet Information Services 7.
5
#Version: 1.
0
#Date: 2011-04-13 19:02:3
4
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-
query s-port cs-username c-ip cs(User-Agent) sc-status
sc-substatus sc-win32-status time-taken
2012-07-02 15:15:37 XXX.XX.XX.XXX POST /
AjaxWebMethods.aspx/TestWebMethod - 443 -
XXX.XX.XX.XX
Mozilla/5.0+(Windows+NT+5.1;+rv:13.0)+Gecko/
20100101+Firefox/13.0.1 405 0 0 218

61. Database Servers:
Microsoft SQL
MySQL
Oracle

62. DB Evidence
• Client connection log
s
• Attacker's IP addres
s
• Error log
s
• Malformed queries; brute force attack
s
• Query log
s
• Often not enabled, but would show what the
attacker was trying to access

63. DB Storage
• Data stored in many
fi
le
s
• Sometimes "raw" storag
e
• Proprietary methods to manage one or
more storage devices at the physical leve
l
• Work with database administrator to deal with
customized database
s
• Don't work on a live D
B
• You might modify data or even cause a
crash

64. Microsoft SQL
• Free version: SQL Server Expres
s
• Con
fi
gured with Microsoft SQL Server
Management Studio (SSMS
)
• MSSQL does not log client connections by
defaul
t
• Only failed connections

65. ERRORLOG
• This example logs
fi
rst an unsuccessful, then a
successful, connection attemp
t
• Both go into ERRORLOG

66. Query Logging
• MSSQL does not log queries by defaul
t
• You can turn on a "server-side-trace
"
• But it incurs large processing overhead

67. Preserving DB Evidence
• Forensic image of the drives containing the D
B
• Good, but requires taking down the DB
serve
r
• Copying DB
fi
les: .mdf & .ld
f
• Locked; must take down DB to copy the
m
• Use SMSS to backup or export dat
a
• Alters some evidence, like other live images

68. MySQL
• Free, open-source, common on Linu
x
• After Oracle bought it, the open-source fork mariadb
became popula
r
• Con
fi
guration
fi
le is my.cnf or my.conf

69. MySQL Logs
• Commonly in /var/log/mysq
l
• Only error log enabled by defaul
t
• General log is more useful for us, but causes
high logging overhead

70. Example
• General lo
g
• User "root" connected from 192.168.200.
2
• Executed this quer
y
• select * from cc_data limit 1

71. Acquiring MySQL Data
• Can use a number of database
fi
le storage format
s
• Ideal way
:
• Shut down server gracefully, image hard dis
k
• On a running syste
m
• Stop the MySQL service and copy all the
fi
les in
the datadir, o
r
• Backup with mysqldump command without
stopping the service

72. Oracle
• Runs on Windows or Linu
x
• Expensiv
e
• listener.log
• Logs details about each client connectio
n
• On by defaul
t
• log.xm
l
• Alerts -- records traces and dumps

73. Example listener.log
• Successful connection to an Oracle D
B
• "Bob" is username on remote syste
m
• Does not indicate success or failur
e
• Unless auditing is enabled (high performance
impact)

74. Ch 10c