Basic Windows Intrusion Detection and
Forensics
Ian Brill
ITC Micro Systems
Start with the
obvious: Are you actually hacked?
1.
Look
for recently modified or accessed files (Start | search; afind, hfind)
When an intruder copies files onto your computer, the file modified timestamp is changed. A skilled attacker may reset these stamps, but most won’t bother.
You may find some OS files as a result of hotfixes, but you will usually recognize files that don’t belong. They may be named the same as normal OS files, but will be in the wrong location. Look carefully, because these can be hidden in plain sight, i.e., c:\winnt\system32\EXPLORER.EXE. There are two things wrong here: the file is in system32, instead of \winnt where it belongs; and the file is in all caps, which it isn’t normally. In addition, these files will not be the same size as the legitimate files.
Tools:
· Built-in search function (Start | Search). Search for executables that were modified in the last week.
· Afind.exe: Foundstone tool that looks for files accessed within a specified timeframe
· Hfind.exe: Foundstone tool that finds hidden files (with the –h attribute) and displays their last access times
2.
Look
for open ports that don’t belong (netstat –an, fport, nmap)
This requires some knowledge of which ports should be open, but if you run these tools on a freshly built machine, you should have a good idea of what should and shouldn’t be open. Lists of common port assignments are readily available through Google, as well.
Even if you didn’t find recently modified files, finding odd ports listening is often a dead giveaway. Even better, you can match those ports to the program doing the listening to find out if they are legitimate or not. Note that backup agents tend to listen on suspiciously high ports.
Tools:
· Netstat –an: Typing “netstat –an” at a command prompt gives you a list of all the ports listening on your machine, divided into TCP and UDP sections. You will often see many ports listed, but only the ports with the local IP address listed in the “Local Address” column are actually listening. If the target machine is compromised and the intruder is actively connected, you should see their IP address listed with a state of “Established”.
· Fport.exe: A great tool from Foundstone that maps processes to ports. It allows you to determine which executable is listening on what port(s).
· Nmap: Free portscanner from insecure.org. Must be run from another machine. Looks for open ports on the target machine and makes a guess at what service may be using the open ports.
3.
Look
for odd processes (process explorer, sc)
Knowing what processes and services are running on the target machine is key to determining if a machine is hacked or not. It is possible to hide a process from Task Manager, so other tools are needed to make sure all are being seen.
Note: Look carefully! Malicious processes are often misspelled or named something that seems like it could belong but doesn’t, such as “taskmngr” instead of the correct “taskmgr”. Also watch out for properly named processes running from the wrong location.
Tools:
· Procexp.exe: Process Explorer from Sysinternals. A free tool that shows you every process running on a machine, what resources they are using, and what .exe’s and .dll’s are involved.
· Sc.exe: A Resource Kit tool that allows you to query and control services on a machine.
4.
Antivirus
scan
A thorough antivirus scan can sometimes detect hacker tools. It is especially useful for common worms and virii.
Ok, it looks like I
got hit. Now what?
5.
Questions
you will need to answer:
a. How important is it that you know who did it? Are there legal implications to the intrusion?
This dictates the extent of your forensic work.
While we’d all love to drag the offender into court, this simply isn’t feasible most of the time. If the machine had sensitive data on it, you should contact abuse@virginia.edu to get ITC and possibly the Police involved. You may need to preserve evidence.
In most cases, however, you will simply back up your data, reformat and rebuild.
b. Can we afford the downtime it will take to do good forensics?
i. If you don’t know how they got in, the answer is always YES. If they came in through a hole present in all your machines, then you have a much larger problem on your hands.
c. Do you know how they got in?
It is important to at least figure out how they got in, or the most likely avenue, to prevent it from happening again. If all of your servers are set up identically, this is not just important, its critical.
i. Once you figure out what the avenue was for the intrusion, procedures will need to be revised to ensure it does not happen again.
Figuring out what was
done and how
6. Assuming you found recently modified executables and it/they are listening on odd ports, we need to figure out how they got there. You (hopefully) already have some baseline knowledge of the system.
Nice things to know about the system you are looking at:
a. Security configuration?
i. Was the machine originally built to some sort of a standard?
ii. Did the user(s) change anything (that they will admit to)?
b. Admin-level passwords
i. Length?
ii. Complexity?
c. Patches
i. Has it been patched recently?
ii. Is it missing any critical patches?
d. Other software running
i. Third-party web servers, Java servers, etc?
ii. SQL, MySQL, MSDE?
iii. IIS, FTP?
iv. Does any of this software have known vulnerabilities? (Bugtraq, NTBugtraq, ISS.net, etc.)
7.
Check
your logs, both system and others
a. Has auditing been enabled? File system auditing?
b. Are there any web or FTP logs on the system?
c. System, Application, Security logs? Have they been cleared? How long should they have been retaining data?
d. Old logs from backups
e. Some hacker tools even have logs which may be helpful
8.
Examining
unknown files
a. Use fport (from Foundstone) to determine if they are listening, and on what port
b. Use Bintext (also from Foundstone) or strings (from Sysinternals and elsewhere) to expose any text in the file
i. Sometimes files named *.exe or *.dll are actually plain text files, so this is a useful exercise.
9.
Last
logons: Security log
a. You can use Ntlast (from Foundstone) to look for the last logon for a particular account
10.
Look
for hidden files (streams, hidden attribute)
Streams are supposed to house additional attributes of a file, but can be used to house entire files.
a. Use Attrib (comes with the OS) to find files with their hidden attribute set, or simply set Explorer to display all files.
b. Use Sfind (from Foundstone) to search the file system for files with hidden streams.
c. If you find files with hidden streams, you can “un-stream” them with the cp.exe tool from the Resource Kit. Keep in mind that any file on a file system that had Apple File Protocol turned on will have an alternate stream contained within. However, these are easy to spot because of they display as “<filename>:AFP_AfpInfo Size: 60”.
References
Windows 2000 Resource
Kit
Further