The event logs are located in Windows or WINNT directory under % WinDir % \system32\config. These files end in .evt, but we have seen them with different capitalization schemes ( .evt, .EVT, .Evt ). The security event logarithm is controlled by the Local Policy | Audit Policy settings. For this type of analysis, the postdate policies should be set to success, failure :
- Audit bill logon events
- Audit account management
- audit policy change
- Audit privilege use
In drill, we normally gather all the logs and then examine them one at a time in real time, then late analyze them in nonreal clock. hera we describe the interrogation process as we tell how to locate each log. Use the administrative tool and Event Viewer to examine the security system event logarithm. In the security event log you are looking first for failed logins ( see Figure 5.4 ). You can sort the file by clicking the Type column. This will divide the log into successes and failures. In our case the entries of interest are the fail logins with a login type 3, the network login. You can find more information about the login types listed in the event log at hypertext transfer protocol : //technet2.microsoft.com/WindowsServer/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.msp, or search Microsoft for audit logon events .In addition, we looked for instances of logon type 3 in which the originating workstation name differed from the victim ‘s computer and where the world name is the name of the attacking computer. In most environments, this should be a rare happening. The victim ‘s calculator would have to be actively sharing files and adding local anesthetic accounts from the other computer as users on the victim ‘s calculator. To clinch the cover, password-guessing attacks occur much more quickly than any human can type. This wo n’t be the lawsuit every meter. The password-guessing tools we have captured can throttle down the assail frequency ( adam attacks over yttrium hours ), so it might not be so obvious ( see Figure 5.5 ) . Both Phatbot and Rbot provide early clues that a password-guessing fire is very. Earlier in the book we listed the default userids they both can use. You might not see this in every approach, but if the bot has n’t gathered any userids locally yet, or if the gather userids have n’t gotten in, the bot might try userids from the default list. They about always try Administrator, then if you have renamed this explanation, its appearance in a fail login attack raises the probability that this is an assail. If you see attempts using userids of Administrador, then administrateur as the login ID, you can be certain that this is password-guessing attack and that a bot ( probably Phatbot, Rbot, or another related bot class ) is attacking the victim ‘s calculator. If the attempts happen to take position during times that no one is supposed to be working in that department, you can be even more sealed. so, what ‘s the bespeak of analyzing this datum ? You are examining this computer because person already said it was virus infected or because one of your news sources spotted it talking to a known C & C server. here ‘s the value of this analysis : The computers listed in the workstation field of the fail login records type 3 login, where the workstation sphere differs from the victim ‘s calculator name, are all infect computers. Using this proficiency during the psychoanalysis phase, we have found over 200 infect computers that were separate of one botnet. This is despite the fact that we actively scan for bot C & C activity. This is defense in depth at its finest. however, that is during the analysis step, which we will cover subsequently in this chapter. In this footfall we are trying to determine the attack vector, the clock of the successful attempt, and the userid that successfully logged in ( which should now be considered compromise ). Finding these failed login attempts tells us that password think was one of the attack vectors. Finding a successful login among the attempts using one of the attempted userids or immediately following the final attack is valuable because it marks the time of the actual housebreaking. Take note of this clock time because you will use it by and by to look for files associated with the housebreaking ( see Figure 5.6 ) . During the psychoanalysis phase you can use a log central processing unit such as Log Parser from Microsoft to process multiple log files at once. At the time of this printing, Log Parser can be downloaded from www.microsoft.com/downloads/details.aspx ? FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07 & displaylang=en. Log Parser reads the event files and permits the analyst to craft SQL queries to extract information. We created a batch file containing a single line : carbon : \ “ Program Files\Log Parser 2.2\ ” LogParser.exe -o : CSV file : LogonFailuresDistinct2.sql ? machine=* ” This line says, “ Run logarithm parser, read the file LogonFailures.sql, execute the SQL commands you find there, report what you find for all machines, and position the results in a comma-separated respect file. ” The SQL question LogonFailures says : FROM .\logs2\*.evtWHERE EventType = 16 AND EventCategory = 2 AND Attacking_Workstation < > ComputerName This question will cause Log Parser to :
- Extract the time-generated field
- Extract the exploiter name and login world and concatenate them to form field called User
- Relabel the ComputerName playing field to Targeted Computer
- Find the Workstation field
Log Parser is to do this from all the event logs in .\logs for all logon events ( Event Category 2 ) that failed ( Event Type 2 ) and where the attacking workstation name does n’t match the ComputerName playing field. table 5.1 shows a sample distribution of end product from this SQL question. You can see that attacks came from two computers, ATTACKER1 and ATTACKER2. ATTACKER2 shows the model reproducible with an automatize password-guessing attack, with attempts coming one a second for an hour. It is besides a piece of a clue that there were 2200 attempts during that hour. You can besides see that the attacker in our greatly modified example used a dictionary contain five passwords to try for each userid. When you consolidate all the logs like this for analysis, you can see the attack form. Find an attacker and then look for the attacker in the Victim column. You can note which computer infected that one and trace it back in the Victim column, thus reconstructing the timeline of the gap of the botnet. This will frequently show the model called “ fan out, ” where the botnet infects a single computer in a new subnet, then that computer fans out to infect others in the like subnet. Using this technique we are able to turn the bot node fire vector into an intelligence source .
|8/16/2006 8:21:15||ATTACKER2\ Administrador||VICTIM||ATTACKER2|
You can find basic explanations in the accompanying aid file and by searching the Microsoft web site for Logparser. There is besides a much more in-depth treatment of uses of Log Parser in the Syngress script, Microsoft Log Parser Toolkit, written by Gabriele Giuseppini and Mark Burnett. Guiseppini is one of the Microsoft developers of the tool. The computers listed in the Attacking Workstation column are the infect systems, unless you can discover a lawful reason for the fail attempt to connect two workstations. For example, you might discover that a small group of workstations in a lab have set up shares between them, and users sporadically connect workstations. For this reason, we include as much of the follow information as we can in the help desk slate for this incident :
- Computer name and informant
- IP address and source
- MAC cover and source
- What was observed ( for example, password-guessing attack against Victim1 )
- Userid used
- Date/time of the most holocene attack
- User appoint
- construct, room, and jack number
We discovered that it was necessary to know what was solid information ( found in the logs ) and what was derived ( for example, IP address from NSLookup of calculator appoint ). The time last observe is crucial, particularly in environments using DHCP, since you are only interest in the computer that held a particular IP address during the time of the event observed in the logs. In our case, the search table we used for build, room number, and jack numeral was dreadfully out of date and consequently inaccurate. If the calculator was on-line, the network team could confirm the board number and data jack by reading the switch that detected the calculator. The most unmanageable part of this summons proved to be matching the infect machine with a drug user and placement. several critical pieces of our infrastructure are missing. There is no asset management system, so the asset database is not linked to the aid desk system. The database that links the build room and data jack information to a switch interface has not been kept up to date. The build maps to room and datum jacks have n’t been kept up to date, so we keep sending technical school out to rooms that no longer exist. There is no bare way to correlate the computer ‘s NetBios diagnose to its IP address and MAC address. Although there is a criterion naming convention for computers, it is loosely followed by other departments. It is future to impossible to find a calculator of the name LAPTOP in a population of 27,000 users. In XP, the security event log record lone contains the computer NetBIOS name, not the IP address ; the way our DNS is apparatus, few of these NetBIOS names are found using nslookup. Under these circumstances, we have had to find creative ways to locate these infect computers. If the userid has portions of a name, we try student and staff records to see if there is a pit or a short number of candidates. sometimes the calculator mention is slightly unique, and a search of the university ‘s Web pages can win the trophy. One hood case was a computer called ELEFANT. Searching through the university ‘s Web pages revealed a Web page for the chemistry department ‘s lab network that touted ELEFANT as the most authoritative calculator in their lab. The Web page besides identified the lab coach ‘s name, call number, and e-mail address. Once we are confident in the IP address associated with an attacker, the help desk tag is assigned to our networking group. The networking group places the trade port associated with the attacker into a network jail, although our kindler, gentler customer service interface calls it a “ network quarantine ” when public speaking to our customers. The networking group then confirms the construct and board information directly from the switch, to confirm the data free-base entries we posted earlier.
Read more: How Do I Find the DNS Server Used By My PC?
once the computer ‘s location has been deter mined, the help oneself desk tag is assigned to our desktop defend techs, who arrange for it to be retrieved for our quick forensic examination and reimaging. We had determined early in the process that with this bot, reimaging was preferable to attempting to remove the virus and chancing that we would miss something. Reimaging besides gave us the opportunity to remove the offending local administrator accounts. As we processed systems, we realized that we needed to collect and correlate data about all the systems we had identified. For that we established a spreadsheet that brings together all the relevant information. That means, if we see a system in an event logarithm two months from immediately, we can confirm whether the system was reimaged since the time of the new sighting or if this is a reinfection. We are now experimenting with using a instrument called NTSyslog, available for download at hypertext transfer protocol : //sourceforge.net/projects/ntsyslog, to automatically forward the Security Event logs to a central syslog server. The central syslog waiter formats the data for an SQL database and then will run the above question in approximate real time. This has the effect of turning this approach into an early warn joyride alternatively of a recovery cock .