This document provides information about DHCP and DNS logging. It discusses:
- Microsoft DHCP logs location and format, with limitations like one week retention
- ISC DHCP logs to syslog and examples of log entries
- DNS logging using DNSCAP or network packet captures
- Microsoft and ISC BIND DNS logging configurations and limitations
It recommends searching DHCP logs by IP address or MAC address to identify devices, and DNS logs to see domains visited and querying IPs. The document also notes attackers may change IP addresses, and malware may strip version information to evade detection.
3. DHCP
• Dynamic Host Con
fi
guration Protoco
l
• Assigns IP addresses to devices (with subnet
mask and gateway address
)
• Can also con
fi
gure DNS server addres
s
• Uses UDP port 67 and 68
4. DHCP Lease
• An IP address may change every time the
device reboot
s
• So DHCP logs are essential to identify devices
from IP addresses
5. DHCP Searches
• Search a date for an IP addres
s
• To
fi
nd which system had that address when
an alert happene
d
• Search all dates for a MAC addres
s
• Gets all the IP addresses that system had over
time
6. Microsoft's DHCP Logs
• DHCP Server Role is part of Windows
Serve
r
• By default, located at 

%windir%System32Dhc
p
• A plain comma-delimited text
fi
l
e
• ID, Date, Time, Description, IP Address,
Host Name, MAC Addres
s
• Links Ch 10a, 10b
7. Issues with Microsoft DHCP
• Note: "Time" is local time, not UT
C
• Logs only retained for one week
by default
8. ISC DHCP
• Most common on Unix/Linux system
s
• Free and open-sourc
e
• Logs go to syslog local
7
• (Facility Number 23, a way to categorize
syslog messages
)
• Link Ch 10c
9. ISC DHCP Log Example
[root@proxy log]# tail -f dhcpd.lo
g
Jan 15 13:49:59 proxy dhcpd: DHCPACK on 192.168.0.23 to
00:80:ad:01:7e:12 (programming) via eth
1
Jan 15 13:54:45 proxy dhcpd: DHCPINFORM from
192.168.0.13 via eth1: not authoritative for subnet
192.168.0.
0
• Link Ch 10d
11. DNS
• Domain Name Syste
m
• Resolves domain names like ccsf.edu to IP
addresses like 147.144.1.212
• DNS logs show every domain visited, the IP
visiting it, and the tim
e
• Malicious servers change IP addresses
frequently
12. ISC BIND
• Berkeley Internet Name Domai
n
• Logging is off by default; turn it on in
named.conf.loca
l
• Link Ch 10f
14. Network-Level DNS Logging
• Any packet capture utility can do it, such as
tcpdum
p
• DNSCAP is specialized for DNS capturin
g
• Can log queries, and/or save a PCAP
fi
l
e
• Link Ch 10g
17. LANDesk's Software
Management Suite
• Software License Monitoring (SLM
)
• Tracks execution history of every
applicatio
n
• Date and time the application ra
n
• File attributes of the executabl
e
• User account that ran i
t
• Link Ch 10h
18. Attackers
• Attackers often copy hacking tools like
password hash dumpers to a system, run it, and
then delete i
t
• LANDesk will record this in the SLM monitor
logs (in the Registry, see next slide)
,
• Even if the binary has been deleted
20. Parsing the Registry Keys
• SLM Browse
r
• Doesn't work on exported registry hive
s
• RegRipper doe
s
• Links Ch 10l, 10m, 10n, 10o
21. What to Look For
• Low "Total Runs
"
• Attackers often run a tool once and then
delete i
t
• Suspicious paths of executio
n
• Many tools run from the same director
y
• Anything running from the Recycle Bin
22. What to Look For
• Timeline Analysi
s
• Look for rarely used utilities running within a
short time perio
d
• Such as net.exe, net1.exe, cmd.exe, at.ex
e
• (net1 is a Microsoft product to address Y2K
)
• May indicate lateral movement
23. What to Look For
• Suspicious usernames in Current Use
r
• User accounts with a low number of
application run
s
• Accounts that shouldn't normally access this
syste
m
• Accounts with elevated privileges, such as
domain administrators
24. What to Look For
• Executables that have been delete
d
• This is normal for installer
s
• Other executables are more suspicious
25. Symantec's Altiris Client
Management Suite
• Optional component for application meterin
g
• Records execution history of applications run
on a syste
m
• Link Ch 10p, 10q
26. Altiris Application Metering
Logs
• Saved as a plain text
fi
le, including this
information
:
• Manufacturer, version, use
r
• Discovered (date of
fi
rst execution
)
• And date of last executio
n
• Run Count and Total Run Time
27. What to Look For
• Executables without version informatio
n
• Malware authors often strip this data to hide
from signature-based antiviru
s
• Identify suspicious executables by
fi
le siz
e
• Malware is usually small; < 1 M
B
• Attacker may use the same backdoor on
multiple systems, changing only the name, so
the size is the same
29. General Features
• Antivirus doesn't usually detect all program
s
• Only the ones recognized as maliciou
s
• Common administrative tools won't be
detecte
d
• Also some malicious tools lack a signature,
and won't be detecte
d
• Antivirus logs are useful, but give an incomplete
picture of attacker activities
30. Antivirus Quarantine
• AV encodes malicious
fi
les & moves them to a
Quarantine folde
r
• Files can no longer execut
e
• Preserves
fi
les for incident responder
s
• Make sure antivirus is set to quarantine
fi
les,
not delete them
31. About Archives
• Attackers often use password-protected archive
fi
le
s
• Antivirus can't open them to scan the
m
• Often AV will log errors about the
m
• This is a clue about attacker activity
34. Quarantine Files
• File extension of .vb
n
• Two VBN
fi
les for each
fi
le quarantine
d
• First: metadata about quarantined
fi
l
e
• Second: Encoded copy of original
fi
le
35. Symantec's Encoding
• Older versions: XOR with 0x5
A
• Newer versions: XOR with 0xA5 and insert
additional 5-byte sequences throughout the
encoded
fi
l
e
• Symantec's QExtract.exe can extract
fi
les from
quarantin
e
• But only on the system that quarantined the
fi
le
36. To Extract Quarantined Files
• Obtain the correct version of QExtrac
t
• Boot up a forensic image of the affected
syste
m
• OR use pyextract.py (link Ch 10r
)
• But it sometimes fails to reconstruct the
fi
le
correctly
39. Most Useful
• OnAccessScanLog.txt and
OnDemandScanLog.tx
t
• Shows
fi
les that were quarantined or delete
d
• With name of the detected threa
t
• Also creates events in Event Log
40. McAfee Quarantined Files
• .bup extension, a
fi
le with two part
s
• "Details" contains metadat
a
• File-o: The actual quarantined
fi
l
e
• XORed with 0x6A and compressed into OLE
forma
t
• To extract, use 7-Zip
46. Background
• Browsers send HTTP (Hypertext Transfer
Protocol) request
s
• GE
T
• To retrieve a page, image, etc
.
• POS
T
• To send data, like username and password
47. Ports
• HTTP uses TCP port 80 (by default
)
• HTTPS uses TCP port 443 (by default)
48. Virtual Hosts
• Many websites running on the same serve
r
• If one is compromised, they may all be affected
49. Log Files on Web Servers
• Stored in plain tex
t
• Summary of each reques
t
• IP of clien
t
• URL requeste
d
• HTTP metho
d
• Result (status code)
51. Load Balancing
• Sends requests to a pool of server
s
• Web server logs will have the IP of the load
balancer, not the clien
t
• You need to correlate load balancer logs with
Web server logs
• OR: con
fi
gure the load balancer to "pass
through" some details about the clien
t
• X-Forwarder-For header
fi
el
d
• Con
fi
gure Web server to log that header
52. Web Content
• Attackers often alter
fi
les on a Web serve
r
• Or upload
fi
les, such as webshells and
hacking tool
s
• They may be plaintext or obfuscated
54. Apache
• Free, open-sourc
e
• Usually running on Linu
x
• Con
fi
guration
fi
le
s
• httpd.conf, apache.conf, apache2.con
f
• Some directives in .htaccess
fi
les
55. Apache Log Files
• access.log and error.log (plain text
)
• In a subdirectory of /var/lo
g
• To log X-Forwarder-For headers, add this to
con
fi
guration
fi
le
:
%{X-Forwarded-For}i
56. Content Locations
• /var/www or /var/www/html by defaul
t
• Often change
d
• Search for ServerRoot and DocumentRoot
directives in con
fi
guration
fi
les
57. Microsoft's IIS
• Internet Information Service
s
• Included in Server versions of Window
s
• Con
fi
gured through Control Pane
l
• Most relevant settings are stored in an XML
fi
le
named applicationHost.con
fi
g
58. IIS Con
fi
g File
• ID number appears at end of log directory nam
e
• %SystemDrive%
inetpublogsLogFilesW3SVC1
59. IIS Log Files
• Filenames contain date in YYMMDD forma
t
• u_ex140220.log --logs from Feb. 20, 201
4
• Advanced Logging places logs in a different
director
y
• Logs are plaintext but are encoded with UTF-8
and may include unicode characters
60. Example Log File
• Link Ch 10u
#Software: Microsoft Internet Information Services 7.
5
#Version: 1.
0
#Date: 2011-04-13 19:02:3
4
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-
query s-port cs-username c-ip cs(User-Agent) sc-status
sc-substatus sc-win32-status time-taken
2012-07-02 15:15:37 XXX.XX.XX.XXX POST /
AjaxWebMethods.aspx/TestWebMethod - 443 -
XXX.XX.XX.XX
Mozilla/5.0+(Windows+NT+5.1;+rv:13.0)+Gecko/
20100101+Firefox/13.0.1 405 0 0 218
62. DB Evidence
• Client connection log
s
• Attacker's IP addres
s
• Error log
s
• Malformed queries; brute force attack
s
• Query log
s
• Often not enabled, but would show what the
attacker was trying to access
63. DB Storage
• Data stored in many
fi
le
s
• Sometimes "raw" storag
e
• Proprietary methods to manage one or
more storage devices at the physical leve
l
• Work with database administrator to deal with
customized database
s
• Don't work on a live D
B
• You might modify data or even cause a
crash
64. Microsoft SQL
• Free version: SQL Server Expres
s
• Con
fi
gured with Microsoft SQL Server
Management Studio (SSMS
)
• MSSQL does not log client connections by
defaul
t
• Only failed connections
65. ERRORLOG
• This example logs
fi
rst an unsuccessful, then a
successful, connection attemp
t
• Both go into ERRORLOG
66. Query Logging
• MSSQL does not log queries by defaul
t
• You can turn on a "server-side-trace
"
• But it incurs large processing overhead
67. Preserving DB Evidence
• Forensic image of the drives containing the D
B
• Good, but requires taking down the DB
serve
r
• Copying DB
fi
les: .mdf & .ld
f
• Locked; must take down DB to copy the
m
• Use SMSS to backup or export dat
a
• Alters some evidence, like other live images
68. MySQL
• Free, open-source, common on Linu
x
• After Oracle bought it, the open-source fork mariadb
became popula
r
• Con
fi
guration
fi
le is my.cnf or my.conf
69. MySQL Logs
• Commonly in /var/log/mysq
l
• Only error log enabled by defaul
t
• General log is more useful for us, but causes
high logging overhead
70. Example
• General lo
g
• User "root" connected from 192.168.200.
2
• Executed this quer
y
• select * from cc_data limit 1
71. Acquiring MySQL Data
• Can use a number of database
fi
le storage format
s
• Ideal way
:
• Shut down server gracefully, image hard dis
k
• On a running syste
m
• Stop the MySQL service and copy all the
fi
les in
the datadir, o
r
• Backup with mysqldump command without
stopping the service
72. Oracle
• Runs on Windows or Linu
x
• Expensiv
e
• listener.log
• Logs details about each client connectio
n
• On by defaul
t
• log.xm
l
• Alerts -- records traces and dumps
73. Example listener.log
• Successful connection to an Oracle D
B
• "Bob" is username on remote syste
m
• Does not indicate success or failur
e
• Unless auditing is enabled (high performance
impact)