CompTIA CYSA+ CS0-002 – Analyzing Host-related IOCs Part 3
Unauthorized privilege. In this lesson we’re going to talk about unauthorized privileges, which is something that an attacker tries to do once they exploit your system. Now one of the most common things an attacker will do once they get into a system is try to escalate their privileges and this is known as privilege escalation. Now simply put, privilege escalation is the practice of exploiting flaws in an operating system where other applications to gain a greater level of access than was intended for the user application. Now this is important because often the initial intrusion vector is something like a phishing campaign. If I can get a user to click on a link in my phishing campaign, they can let me in and I can actually take over their account.
But that’s only a regular user account. It’s not going to be strong enough for me to do some of the things I want to do. And so as an attacker I want to be able to escalate my privileges and get to root on a Linux system or admin on a Windows system. So the question becomes, as an analyst, how do you detect privilege escalation? And that’s what we’re going to focus on in this lesson because we’re going to be looking at the indicators of compromise for that. Now, as a security team, one of the ways you can detect this is by monitoring authentication and authorization systems. Now this is really important and there are five key things you need to look at. First you need to look at unauthorized sessions. Then you need to look at failed logons. After that you should be looking for new accounts.
After that you should be looking for guest account usage. And finally, you should be looking at off hours usage. Let’s take a closer look at each of these first unauthorized sessions. When you’re looking at unauthorized sessions, you’re looking at what’s occurring when certain accounts access devices or services that they should not be authorized to have access to. For example, if I’m a regular user and I work in human resources, should I have access to anything in the accounting department? Probably not. And if you start seeing some kind of a session going from my user account, which is attached to the human resources area and it’s connecting into the accounting area, that would be something you should flag as an unauthorized session and look into.
Further, the second type of thing we want to look for is failed logons. A failed log on is any attempt to authenticate to the system using the incorrect username and password combination or other credentials. Essentially somebody’s tried to log on and they have the wrong username or wrong password. Now just because there’s a failed log on doesn’t mean you’re under attack. Oftentimes it’s somebody putting in the wrong password because they forgot it or they mistyped it and that can be perfectly normal. But if you see multiple attempts with the wrong username and password over and over again. That could be an indication of somebody trying to do password guessing or a brute force attack.
Next, we want to look for any new accounts. Now, as an attacker they want to try to be able to create new accounts on a system. And if they can do this, this can be really dangerous because they can create a new account, such as an administrator account, and then have unbridled access to all of your systems. One of the things you need to do as an analyst is go through often and check your accounts and see if there’s any new accounts and who created them, were they authorized or was it the product of some kind of an attack? After that, we want to consider any guest account usage. Now, guest accounts can be dangerous because they can enable an attacker to log on to a domain and begin footprinting the network and start figuring out who’s on the network, what type of devices are on the network, what type of software is on the network and all of that is information they can use in further attacks.
And finally, we want to look out for any off hours usage. Off hours usage occurs when an account is being used in off hours. This may indicate an attacker is attempting to catch the organization unaware. For example, if your company’s employees normally work from nine in the morning till five in the afternoon and you start seeing somebody logged on at one in the morning or two in the morning, that is off hours usage. And you need to look into do they have valid reason to do that? And if not, were they really the ones who were doing it? Or is there somebody on the other side of the world who has hacked into your machine and is now logging in as that user? Now, the last thing we need to talk about in this lesson is unauthorized privileges.
Now, one of the things we as analysts need to look for is looking at our security policies and our system policies and making sure they are properly enforced to provide the right access to the right users and to block access to those users who shouldn’t be on our systems. This should result in access denied. Now, as we do this, there are a couple of tools that we can use to check our policies. The first one is the Microsoft Policy Analyzer. This can identify whether a policy deviates from a configuration baseline. So once you know what your security baseline should be, you can create your policies in that and then use the Policy Analyzer to make sure those policies are in effect across all of your systems.
Another tool you can use to track your privileges and any privilege changes is access check and access enum. These are part of the Sisinternal suite and they can analyze privileges applied to a resource or file. This will allow you to verify based on their audit log and make sure that the right privileges are on the right file still and that an attacker has not changed. That for you. This will make sure that you have the right authorized privileges and you aren’t getting into the realm of unauthorized privileges.
Unauthorized software. Unauthorized software is one of the most obvious IOCs that you can encounter. Essentially, you find some piece of software that shouldn’t be there. It could be a worm, a virus, a Trojan or any other kind of malware. If you see this and you get a malware alert, this is an indicator that something is there that shouldn’t be and this is unauthorized software. Now, in addition to these obvious examples of malware, there are more subtle software based indicators of compromise that could involve the presence of attack tools on a given system. Because a lot of the attack tools that are out there are actually used by system administrators as well. For example, we’ve talked about Netcap before, we’ve talked about Nmap before, and Wireshark.
All of these are tools that can be used by an analyst or an administrator, but they can also be used by an attacker. So when you find them, you have to determine are they authorized or not? And if they aren’t, that could be an indicator compromise of that system that some attackers now put new tools on that system for them to use. Now, unauthorized software doesn’t always have to mean some kind of malware or admin tool. It can just be software that a user isn’t permitted to install themselves. For example, unauthorized software can include legitimate software that shouldn’t be installed on a particular workstation. In one company I worked at, we had a lot of users who would want a particular piece of software, maybe something like Adobe Acrobat or Microsoft Vizio.
And if we didn’t provide it for them, they would go to the store, buy it themselves and then try to install it on the computer. Now, if they were successful in doing that, that is technically unauthorized software because they weren’t approved to install it on that workstation. And now the big problem with this isn’t that that piece of software was bad, but it now introduces new vulnerabilities because we have to know it’s there so we can patch it and update it and make sure we have a valid license for it and all of those type of things. So all of those things are things you to consider as well when you’re dealing with software. Another area of concern is if users start installing other services on their machines.
For example, Apache may be an authorized piece of software for you to install on a Web server. But does that mean that everyone in the organization should be able to install Apache on their workstation and run their own Web server? Well, of course not. That would be silly because it would be something that would be a big glaring vulnerability. So as we’re scanning our network and looking for different pieces of software, these are the kind of things we’re looking for. Things that are out of place, things that are not authorized and shouldn’t be out there on those given workstations. Now another thing an attacker can do is they can modify normal files for malicious use.
For example, think about your host file on a computer. If you think back to your A plus studies, you’ll remember that a host file is essentially a local DNS. So if I modify that host file and I change Youtube. com to a particular IP address, it’s always going to trust the host file over the DNS server. It checks there first. And so I can actually bypass you going to a valid DNS server by using your host file and modifying it as an attacker. This is something to keep in mind as well. As you conduct the analysis of a workstation, you’re going to come across a lot of different files out there and a lot of different file types based on the applications are installed.
Now, to look at these, you’re going to have to use an application viewer. In some cases, most of your forensic toolkits, such as NK, shown here, can go in and read a lot of these different file formats. For example, here I’m looking at the web cache for a particular Internet browser. This allows me to go into that and I can see what has been cached and what has been viewed by that user with that web browser by going through it. In addition to that, it will allow me to go through and look at lots of different pieces of information and create a timeline from it. These application viewers can allow you to go in and look for different types of applications and files, such as browser histories and cookies, examining contact databases, looking at email mailboxes, or even extracting histories of calls from VoIP software.
As I said, most forensic toolkits can view application usage and history. So if you’re using something like NK or FTK or even the Sleuth toolkit, they have this capability and it makes your job a lot easier. Another thing we have to consider in our analysis is prefetch files. Now, prefetch files are files that record the names of applications that have been run, as well as the date and time, the file path, the run count, and the DLLs that were used by the executable. This is a treasure trove of information for the cybersecurity analyst because if you can look at one of these prefetch files, you can find out a lot of information about what has been used.
These are a treasure trove of information for a cybersecurity analyst because these prefetch files have a lot of information about what has been done as you ran this executable. And so if you’re running some kind of a piece of malware, you can get a lot of information from these prefetch files as well. Now, in addition to those prefetch files, you also want to look at the Shim cache. Now, a Shim cache is an application usage cache that is stored as a registry key. This allows you to go in and use this as an artifact as you’re generating a timeline, and you’re trying to figure out exactly what happened when on a given system.
If you’re looking for the Shim cache, you can find it at HKLM system current control set control session manager. App compact cache app compact cache. Now, I know that’s really long and complicated. You do not need to memorize that location for the exam, but in the real world, it is something helpful and something you should be familiar with. The last one we want to talk about is the Amcache. Now, Amcache is an application usage cache that’s stored as a hive file, and you can find this on the C drive under the Windows directory ap compact program sam cache hve. Again, this is a hive file, and so it can’t be opened by the Red edit tool, but it can be inspected by different file system forensic tools like NK and FTK.
Unauthorized change or hardware. In this lesson we’re going to talk about unauthorized changes or unauthorized hardware because both of these can be an indicator of compromise. Now, when you’re dealing with an unauthorized change, this is any change has been made to a configuration file, software profile or even hardware without proper authorization or undergoing the change management process. For example, when I talked about software, software being installed by some user without permission, that is technically an unauthorized change. Unauthorized changes can occur to software or they can occur to hardware. Both of these are considered unauthorized changes. Now let’s take a really common example that I see all the time. Somebody takes a USB thumb drive, they plug it into their laptop.
That is an unauthorized change if it goes against your current policy. For example, the last couple of organizations I worked at, we did not allow USB thumb drives to be used because they are a huge infection vector that can bring a lot of malware into your systems. So if we saw somebody do that, that was something that would actually flag an alert on the system. It would reject that information from getting onto the system because of that. And we would actually send out security to go look at that machine and make sure nothing got onto it. The reason for this is because USB firmware can actually be reprogrammed to make that device look like it’s another device class. So for example, we block mass storage devices with the use of USBs. So if you plug in a USB thumb drive, it will not read from it because it realizes this is a USB thumb drive.
But if you’ve changed the firmware on it, you can actually make that USB drive to report as a keyboard or a human interface device. And so when you plug it in, it can actually start sending keystrokes to the operating system. This can actually be another infection vector that malware can use because instead of being able to copy a file over, it can send in those unauthorized keystrokes. For this reason, I recommend that you do not allow USB devices inside your organization, especially USB thumb drives. Most high security environments will ban this type of device and not allow them in the building. Now you may be saying Jason, that’s great, you can go ahead and ban devices, but people are still going to need them for certain use cases.
So what do you do then? Well, in those cases you want to have a process in place where you can scan them and verify that they’re clean first. The way I like to do this is to connect that suspect hardware device to a sandbox and analyze it first. This way we can prevent the number of people who are bringing USB devices into the building and any that are brought in, we can check, make sure there’s nothing malicious on them. This gives us a chance to actually analyze it and look at it. And by using a sandbox, if it is something that was bad, it’s not going to get into the rest of the network because it’s isolated in that sandbox. But again, the best policy here is to not allow those USB devices because they are a huge infection vector and something you should really be on the lookout for.
Persistence. The last type of indicator or compromise we need to talk about is persistence. Now persistence is important because persistence is the ability of a threat actor to maintain covert access to a target host or network. This means that they’ve gotten into your network and now they’re hanging in there. They’re not going to go anywhere and that’s what persistence is all about. Now, persistence is usually going to rely on modifying the registry or a system scheduled tasks and therefore you need to look in both of these areas as you’re trying to find any anomalies or any signs of persistence. Let’s go ahead and start with the Registry. Now first, what is the Registry? Well, the Registry is a hierarchical database that stores low level settings for Microsoft Windows inside that operating system and for the kernel itself, the device drivers, the services, the security accounts manager and the user interface, all of this is stored within the registry.
It’s essentially this big database of knowledge about the system and everything that happens to that system. Now, a Registry Viewer is a tool that can allow you to extract the Windows registry files from an image and then display them on. The analysis workstation. This way, as you’re doing your analysis you can see all the different things that were inside that registry and pull out the important pieces you need. If you’re dealing with something like NK or FTK for your forensics, you can actually look at the registry through those tools or extract the registry out and then open it inside a Registry Viewer. Now, Windows does have its own Registry Viewer built into it and this is actually called Reg Edit. But it does have a big disadvantage. This is because the built in Reg Edit tool doesn’t display the last modification time of a value by default. This way you won’t know when it was modified last.
And that’s a big indicator of compromise for you, is knowing when things happened and using that to build your timeline. So it’s not recommended that you use Reg Edit. Instead, you should use different tools. For example, you might want to use Reg Dump. This is a tool that dumps the contents of the registry into a text file with simple formatting so you can search for specific strings within that file using the find command. Now, you can also use grep to search the contents if you’re analyzing the contents of that on a Linux system. And so both of these are tools you can use. Now, all the way back in a plus you learned about Reg Edit. And you can see Reg Edit here on the screen, which is the registry editor. Inside of Reg Edit you have all the different hives of information.
And as you go down into those particular folders you’ll find the individual keys and those keys have data. So you can see here I have a Registry DNS, it’s a regular string. And then there is some kind of data that’s going to be filled into there as we’re editing that string. Now, as we go into Windows and you start looking at your registry, there are two types of auto run keys. And auto run keys are really important because these are the ones that attackers use to gain persistence. When you deal with auto run keys like Run and Run Once, they’re going to allow some kind of program or service to actually initialize when you turn on a system. If you’re using the Run auto Run key, this is going to initialize its values asynchronously when loading them from the registry.
Now, if you’re using Run Once, this is going to initialize its values in order when loading them from the registry. Now, what does that mean? What’s the difference here? Well, the difference is if I’m using Run, I can actually load up all those things in any order. But if I’m using Run Once, things are always going to happen in the same order and that can make for a better indicator, a compromise. Now, where can you find these keys inside the registry? Well, you can find them in four places. First HKLM software microsoft Windows current version run. Then you can find them in HKLM software. Microsoft Windows current version Run once. Also, you can find it in HKCU software Microsoft Windows current version Run. And finally, you can find it in HKCU software Microsoft Windows current version Run.
Once that’s a lot of information there. Do you have to memorize these for the exam? Well, not really, but in the real world, this is really important information. So keep it in mind and keep it in your notes. Now, as you go through these four areas and you look at the keys underneath each of them, you’re going to find different things that are located in these Run and Run Once folders. Now, as you look at these, remember these are things that are starting up when the system loads. So if you see something in there that doesn’t look right or you’re not sure what it is, do some research and figure it out, because attackers love to hide things in these keys because it’s going to give them persistence.
Now, another common tactic that’s used by Malware is to modify the registry entries for the system’s running drivers and services, and these are found in HKLM system current control set services. Again, this is another area you should be looking at when you’re trying to identify things that are hiding inside your registry. Malware may also attempt to change file associations for common executable files, things like exe bat and CMD files, also known as exec batcom and command files. Now, if you start seeing these type of changes, that’s going to happen inside the registry as well. There are file extension registry entries that are located in the following three places.
You can find them in H key, underscore Classes, underscore Root, under HKCR, or you can find it under H key software classes, or under HKCU software classes. Another area of the registry that you should be looking at is the registry entries for recently used files. These are usually stored in HKCU software. Microsoft Windows current version Explorer run mru. In this area, you’re going to find any of those recently used files, essentially recent documents or recent executables, and that will tell you what has recently been run before you had those indications of whatever malicious activity there were. Again, this can help you build your timeline and identify what things have been run in what order. Now, the last thing to consider with the registry is that you need to make sure you have a known good baseline.
By having this known good baseline of what the registry should look like, you can compare your known key values to their current values or to that configuration baseline. And this will help you to identify if tampering has occurred. There are special tools you can use for this, as well as just doing a simple comparison between the current version and the known good baseline version. And by doing that difference, you can see quickly any changes and identify if those are malicious. Now, the second way that an attacker can gain persistence is to use scheduling. Now on Windows, we have the Windows task scheduler. This is a tool that’s there to enable you to create new tasks to run at predefined times. And this is really helpful.
For instance, you might want to have every day at midnight a virus scan run, or every day at 03:00 A. m. , a backup of your computer. And Windows Task scheduler allows you to do that. But it can also enable an attacker to have some kind of persistence, because every day at 03:00 A. m. , something’s going to happen. So what you want to do is look through your tasks on the computer in your task scheduler and see what tasks are there. If there’s one you don’t understand or one that looks malicious, this could be something that is an indicator of compromise and a place that attackers go to maintain persistence. To look at the tasks on your system, simply open up your task scheduler. While you’re in there. You can actually go into that task and look at the history of every time it’s been run.
For example, here you can see the System Service Control Manager has been run, and it happens at a particular time on that event. And you can see that it’s run at a certain time. And under history, you can see all the times it’s been run. So if you’re going back and trying to recreate that timeline and figure out what bad things have happened, and if you find persistence was being used by this task scheduler, you can go in that history and find out exactly when it happened and what happened. Now, task scheduler may be able to capture the history of non system services as well, like Malware that’s installing itself as its own service. So it is a great place to look as you’re doing analysis on a victim machine to figure out if there’s been persistence that has been on that machine and what things have been happening.
Now, that’s great if you’re using a Windows system, but what if you’re using a Linux system? Well, there is no Windows task scheduler on Linux, but there is Cron Tab. Cron tab is a tool that manages cron jobs. And Cron jobs are essentially the Windows equivalent of scheduled tasks. By using Cron Tab, you can actually list out all their current jobs. You do this by using Cron Tab l. This command is going to show you the current Cron jobs that are scheduled to occur. By doing this, you can see if there’s any persistence being used as part of a Cron job that may be running every day at a certain time. Now, let’s talk about the exam for a second. We talked a lot about specific registry keys that you should be searching for.
We talked a lot about in depth things in this lesson. Now, do you need to know these and memorize these for the exam? Well, no, you don’t. But you should be familiar with looking at the registry and analyzing it and using these keys as your starting point in the real world for your job as a cybersecurity analyst. These are important things that you should put down in your playbook, things that you’re going to be looking for as a cybersecurity analyst. But for the exam, you don’t need to know all this in depth. Instead, you need to know that there are two main ways that persistence happens.
One is through the registry and the other is through schedule tasks. The other thing you need to know in terms of the registry is the difference between run and run once. And when you see those two things, remember they’re associated with persistence run. It’s going to run those tasks asynchronously in any order run once, they’re going to run in the specific order. Keep that in mind and you should do a great on the exam.
Popular posts
Recent Posts