Windows 10 forensics of Investigating and Analyzing Malicious Code:561898

Question:

Need to research on one of the following topic : Windows 10 Forensics, Database Forensics & P2P (Preferred)

Windows 10 Forensics, Windows 8 Forensics, MYOB Forensics, P2P Network Forensics (Possession and Distribution), Database Forensics(MYOB,MYSQL,PostgreSQL,Oracle).

 

-Report outline

– A definitive name of the topic

– The object of the examination

– The primary task undertaken

Final report

– Background

– Instructions from the client for the forensic examination

– Chain of Custody max 1 page

– Brief of evidence max 1 page

– Forensic examination report

-Finding

-Procedure

-Conclusions

– References

– Appendixes

Answer:

Name of the topic: Windows 10 forensics and its linkage across different functions of business. Situation is about ABC Corporation which is having all its systems based out of Windows 10 operating system. The website of the company was recently hacked and lot of customer related information was stolen. The server of the company is also based out of windows network. We are responsible for investigation and see what all went wrong with the company’s server.

Object of the examination: Recent customer data stolen after hacking website.

Primary task: To evaluate the systems and provide information about the Windows 10 based forensics

Instructions from the crime scene

  • Windows 10 attackers are shifting to website attacks to evade traditional defenses. Security and risk management leaders tasked with protecting Windows endpoints must understand how endpoint protection platform solutions exploit mitigations and application controls protect against attacks.
  • As EPP matured to rely less on signatures and more on behavioral and analytical detection, Windows 10 based forensics authors needed to find an alternative to deploying executable files to disk.
  • With traditional Windows 10 based forensics, the attacker needs to execute malicious software on a device and gain persistence by delivering a file or files to the local disk.
  • When the attacker’s malicious file is written, or loaded into memory, the installed EPP’s Windows 10 based forensics detection engine analyzes the file and decides whether it knows the file is bad.
  • If the malicious file is matched to a known bad file — for example, by AV signature, sandbox analysis, file prevalence data or an algorithmic classification — the EPP will remove or quarantine that file to stop it from executing. Similarly, application control solutions prevent infections by blocking the execution of unapproved processes.

Evidence Extraction

Forward-thinking enterprises are investing heavily in tools that detect Windows 10 based forensics and targeted attacks, such as network sandboxing and network traffic analysis, but detection is only part of the solution.

Both approaches are valid, but both have their drawbacks. The biggest obstacle to the endpoint approach is the requirement to install agents on every endpoint. The biggest obstacles to the network approach are the expense of storing packet information and the fact that they require skill levels that exceed those of typical security operations centers’ analysts.

How evidence was extracted from the victim situation?

EventTracker Security Center is available as software, with licensing based on the number of event sources. We implemented EventTracker at windows 10 server to see what happened. Standard components include correlation, alerting, behavior analysis, reporting, dashboards, and a large number of event source knowledge packs. Options include IDS, vulnerability assessment, configuration assessment, change audit FIM, NTOP NG, third-party threat intelligence feeds and the Analyst DataMart. Service offerings include annual subscriptions aligned to “Run,” “Watch,” “Tune” and “Comply” activities performed on schedules ranging from daily to weekly. Collection from and deployment in AWS and Azure are natively supported.

Real-Time Monitoring

EventTracker ships with approximately 900 preconfigured real-time alert rules, 100 correlation rules and 14 behavioral rules and provides a wizard to enable users to create new rules. A user-extensible event taxonomy can be modified by users via the portal.

Incident Response and Management

The portal supports a dashboard that enables drill-down into events, with access to context, such as embedded threat intelligence and NetFlow available via separate look-ups or queries. Incident documentation and collaboration is handled via an EventTracker Logbook, modeled on the SANS Incident Handlers Handbook. There are integrations available with Service Now, Remedy, Zendesk and other ticketing systems.

Advanced Threat Defense

EventTracker provides Windows-centric, minimalistic advanced threat defense features. EventTracker’s Windows agent provides endpoint process detection, process termination, system shutdown and whitelisting, and the included IDS provides signature-based network alerting. An integration with NTOPNG provided flow and packet analysis. Integrations with other third-party advanced threat detection/response technologies are not available out of the box.

Business Context and Security Intel

EventTracker includes an open-source-based VA tool for network vulnerability and configuration data. Other asset data can be imported from MS Excel format. Open-source threat intelligence feeds are provided out of the box, and commercial feeds can be integrated into EventTracker. Threat intelligence feeds and threat sharing formats, such as STIX and YARA, are not supported.

User Monitoring

Support for Active Directory and Novell e-Directory monitoring includes real-time alerting for specific events, plus user-activity-related reports. Basic behavioral-monitoring capabilities, such as location affinity and threshold violations, are supported.

Data and Application Monitoring

There are no integrations with DLP products. USB monitoring and control is available with the Windows agent. FIM is supported with the optional Change Audit component. Database monitoring requires a professional services engagement. Application monitoring for infrastructure or business applications is focused on those that are relevant to SMBs. There is no integration capability for ERP systems.

Advanced Analytics

EventTracker does not provide advanced prescriptive analytics or integrations with big data platforms. Basic analytics such as threshold violations are supported, and an SQL-based data mart is available for searching historical data.

Deployment and Support Simplicity

EventTracker is easy to deploy and maintain, with compliance and use-case-specific knowledge packs that provide prebuilt alerts, correlation rules and report templates. EventTracker provides standard configurations for Windows-based deployment, including out-of-the-box correlation rules, alerts and reports. Windows agents can be centrally deployed and managed via templates.

Chain of Custody

Modern website attacks do not write files to disk or load new processes into memory. Instead, the payload is injected into the memory space of an existing application, or a script is run in an approved application, such as Office or PowerShell. This presents a significant problem, because traditional file-based prevention and detection techniques require a file to analyze. Even so-called “next generation” Windows 10 based forensics detection products may not detect these attacks until after the payload executes successfully.

Analysis: Understanding the Rise of Server Windows 10

The earliest known attack that used a completely website, in-memory approach was Duqu 2.0 in 2012, which targeted Kaspersky. This attack used a vulnerability in Microsoft Word to compromise the patient zero and deploy an in-memory remote backdoor. The attack was then able to remotely deploy the full in-memory espionage platform, which allowed privilege escalation, lateral movement and data exfiltration.

In December 2016, Proofpoint reported multiple attack campaigns using website deployment of a relatively new Windows 10 based forensics called “August,” which involved Microsoft Word macros and Microsoft PowerShell. August targets user account credentials and sensitive documents. The macro itself uses evasion techniques to hide its purpose, and deploys the Windows 10 based forensics via PowerShell from a remote C&C server. All this occurs after the end user has agreed to enable macros when the attachment is opened. This example describes a website attack. Despite writing a Microsoft Word document to disk, the payload used by PowerShell is performed in memory.

Discovered earlier in 2016, “PowerWare” is an attack similar to August, in that it used Microsoft PowerShell by way of a Microsoft Word macro. Instead of stealing credentials and files, PowerWare is a ransomware variant using a website attack through valid tools. Initially, the end user is encouraged to enable editing and enable content within Microsoft Word, at which time the active portion of the Word document spawns two PowerShell instances. The first instance of PowerShell is used to download a text file containing a script (a plain text file, not a PE file). Then, the second takes the contents of the text file and executes the script to generate encryption keys. Next, it sends the keys to a remote server and begins to encrypt all the files on the file system — in other words, a ransomware attack is successfully deployed using common administrative tools. This demonstrates just how effective PowerShell can be when used for malicious purposes, and how important it is to control its use.

Attacks must be made as persistent as possible, as quickly as possible, with some attacks storing Windows 10 based forensics binaries in the registry to be reloaded if the device shuts down. By storing binaries in the registry, the Windows 10 based forensics is using another website approach. These types of attacks, such as Poweliks and Kovter, are not new; however, their methods demonstrate how traditional, file-based Windows 10 based forensics detection can be evaded.

To prevent these types of attacks against the applications themselves, they must be protected against exploitation. This protection can be achieved through vulnerability and patch management, process and application isolation, exploit mitigation tools, or vulnerability shielding

Brief of evidence

Although tens of millions of new Windows 10 based forensics versions are introduced every year, there are still a relatively small number of exploit kits. The number of vulnerabilities the exploit kits actually exploit tends to be small too. However, exploit kits do provide the delivery mechanism for a great deal of Windows 10 based forensics. Implementing security hygiene measures — such as vulnerability and patch management, system hardening and network segmentation, and web and email content filtering — is an effective measure to prevent a large percentage of Windows 10 based forensics attacks, including website infections.

Options for Endpoint-Based Exploit Mitigation

Exploiting a vulnerability in an application almost always involves the manipulation of RAM to be able to inject code onto the memory stack and redirect the application to inadvertently execute the malicious code. There are many detailed investigations in these methods, and the interested reader may consider further education on arbitrary code execution, buffer overflow, code injection and heap-spraying attack methods.

Exploit mitigation software aims to stop malicious code from running in memory and, thus, make it more difficult for attackers to exploit software vulnerabilities. It does so by protecting the memory allocated to a process or application. It does not necessarily block the attacker from putting the malicious code into memory; it can also use techniques to prevent the code from being executed.

Microsoft provides an Enhanced Mitigation Experience Toolkit (EMET), which is a collection of protection elements used to harden Windows device by enforcing the mitigations on all applications, regardless of whether the application developer opted in. The mitigations it provides should be used as the baseline for basic exploit mitigation capabilities.

Microsoft EMET is a free tool that was originally released in 2009. By Microsoft’s own admission, EMET has not evolved along with the Windows 10 platform. EMET is not easy to manage and set up, and it does not provide reporting to demonstrate its effectiveness. EMET will become end of life on 31 July 2018. However, most of the mitigations are now included in the Windows 10 OS Creators Update, and Microsoft has committed to close the gap in future updates. Microsoft recommends that organizations that rely on EMET migrate to Windows 10.

For organizations that are not ready for a widespread migration to Windows 10, almost all EPP vendors provide a basic level of exploit mitigation, but few vendors disclose which approaches they use — citing the risk of exposing their client base to dedicated attacks. An EPP’s exploit mitigation technology is likely to have been included in a recent update. Organizations running versions of an EPP that are more than 18 months old should upgrade to the latest version.

Findings

Although exploit mitigation generically defends against the techniques used to exploit applications, vulnerability shielding (also known as virtual patching) mitigates specific, known vulnerabilities in applications. These mitigation measures should be temporary solutions, and should be used only to allow an organization time to remediate the vulnerability.

EPP solutions that include HIPS capabilities may provide similar virtual patching capabilities. HIPS signatures and rules can be used to detect and prevent exploits before and during attacks, and may detect Windows 10 based forensics that has received a clean verdict from a file-based scan.

With agents on endpoints already, workflow-orientated EPP solutions should provide easy-to-read, action-oriented reports that list the vulnerabilities present across the organization. To be useful, the reports must show which Common Vulnerabilities and Exposures (CVEs) the EPP protects against, and should also show which CVEs have exploit code circulating in the wild. The severity level of the CVE should also be included to enable operations managers to prioritize patching activity.

Protecting Endpoints with Application Control

Many EPP solutions provide application control in the form of whitelist and blacklist enforcement, and the policy-driven control of application behavior. Some application control features in EPP solutions will allow organizations to build policies to describe prohibited application behavior. For example, preventing the Google Chrome browser from launching PowerShell.

To address the inflexibility of application control for unknown applications, some solutions are starting to implement application containment or isolation. These solutions protect against Windows 10 based forensics by keeping unknown processes separate from the rest of the OS. This approach is often used to reduce the risk of running unknown and untrusted applications without implementing a full default-deny environment. Solutions that implement isolation will often present virtual copies of the file system and registry, and will only replicate changes to the actual file system and registry once the application is trusted. More-advanced solutions will monitor behavior and activity for malicious activity to ensure that Windows 10 based forensics cannot compromise the endpoint device or data integrity. Some solutions will reset the protected endpoint to a known good state at regular intervals, and others do so when malicious activity is detected. Isolating the processes enables the solution to terminate a single process, without affecting the stability of the OS and other processes.

Application containment solutions are commonly deployed alongside an EPP solution, rather than considered a replacement for EPP.

The Windows 10 Forensics consulting market requires a specialized and skilled workforce. Analysts and consultants are trained in Windows 10 forensic examination and investigation skills to run tests, e-discovery and analysis of Windows 10 channels, memory, social media, cloud, endpoint systems, devices and applications in order to locate fraud and/or malicious, unethical, and illegal internal and external threat actors. For an investigation to take place, usually a person — or people — or an activity (such as a breach) of malicious intent is suspected and targeted at an enterprise. Forensic investigators must ensure that the evidence is collected following proper procedures, conduct a thorough examination, establish a chain of custody for evidence collection, and prepare for potential court proceedings. Thus, many established Windows 10 Forensics consulting firms have close relationships with legal firms.

HR forensic investigations play a significant role in this space, especially when an insider threat is the suspected cause for a breach. It is not uncommon for HR, with the help of Windows 10 Forensics consultants, to launch an investigation into IMs, printing jobs, application usage, emails sent and received, and website activities as a result of employees being suspected of malicious action (regardless if this action is intentional or not).

Incident response is also part of Windows 10 Forensics consulting. IR consultants have their own skill sets, such as hacking and threat hunting, and are the first to be alerted and to respond to an incident. Typically, many of these incidents impact the network and are Windows 10 based forensics-related. These incidents may or may not lead to a deeper forensic investigation to examine processes and/or devices. IR consultants may not have deep forensic expertise; but, increasingly, many IR consultants are trained in forensic investigation skills and are basically offering Windows 10 forensics and incident response (DFIR) — a term introduced by the SANS Institute to use forensic investigation techniques in network breaches — consulting services. In this report, Gartner will reference IR consultants as they play a vital role in the integrity of evidence gathering needed for forensic investigation.

Procedure

By 2018, one in three Windows 10 Forensics cases will fail to catch malicious adversaries because of Windows 10 forensic investigators’ lack of Windows 10 based forensics analysis expertise.

Most Windows 10 Forensics consultancies have the capabilities to help their clients through the entire life cycle of forensic triage and examination. Many full-service Windows 10 Forensics consultancies now include proactive remediation, crisis management and crisis communication services to support post breach incidents. Windows 10 Forensics is no longer limited to investigations into computers, devices and the network; it may also include tapping into Windows 10 channels, such as social media networks and cloud computing (for example, Stroz Friedberg provides these capabilities).

However, many Windows 10 Forensics consultants lack expertise in Windows 10 based forensics analysis (a key feature of security IR); they may have some skills, but not the scale required. To overcome this, many Windows 10 Forensics consultancies are working in partnerships with IR consulting experts (for example, Verizon and Deloitte) in order to provide complete investigations for their clients. In many high-profile breach cases today, it is not uncommon to find separate IR and Windows 10 Forensics consulting firms working together to investigate and remediate a problem for the client.

Evidence production for the attack

There are hundreds of IR consultancies in the marketplace, with varying levels of quality, pricing, services and focused expertise. If you choose to use an IR consultancy, ensure that it has forensic capabilities within the firm to ensure that the first responders are trained and have the knowledge to handle potential problematic incidents that can turn into deeper investigations. Hence, choose IR consultancies that have the depth of knowledge and experience in handling evidence and supporting court cases if needed. Windows 10 Forensics and IR consultancies aren’t simply responding to an alert; they require a forensic examiner mindset, one that ensures integrity, and proper handling of the data and output of the investigation.

 

 

Key Challenges

  • Server attacks commonly manipulate the memory stack and can achieve their malicious intent without dropping a portable, executable file, making file-based detection methods obsolete.
  • Server techniques are common in targeted attacks and as the first stage of Windows 10 based forensics infection for years; however, full attacks without executable Windows 10 based forensics are becoming more common.
  • Server attacks often pivot from memory exploits to PowerShell code that is not inspected by most EPP solutions.
  • Memory exploits often take advantage of known vulnerabilities; however, in most organizations, patch management is not aligned with the most commonly targeted vulnerabilities.
  • Many EPP solutions claim to protect against memory exploits and scripts, but most are vague on the details, making it hard for buyers to compare solutions.

Recommendations

Security and risk management leaders responsible for endpoint and mobile security should:

  • Evaluate incumbent EPP solutions for website attack and anti-exploit protection. Use the exploit mitigations provided in Microsoft Enhanced Mitigation Experience Toolkit as the baseline.
  • Focus on security hygiene and patch management, and use Microsoft EMET as temporary, tactical protection until it reaches end of life in 2018, if there’s no budget for additional solutions.
  • Limit the use of administrative tools like Microsoft PowerShell by restricting access through Windows Group Policy or Windows AppLocker. Log and monitor even approved use of Microsoft PowerShell to detect suspicious activity.
  • Use application control to prevent internet browsers and applications, such as Microsoft Office (Word, Excel, etc.), from spawning script interpreters (e.g., PowerShell, WMIC and Java).
  • Restrict what an application or process can access (e.g., files, registries or network resources) through application isolation, separating processes and applications from each other, and from the OS; this is especially true for lean-forward organizations

 

 

References:

  • Malin, C. H., Casey, E., & Aquilina, J. M. (2008).Windows 10 forensics: investigating and analyzing malicious code. Syngress.
  • Brand, M., Valli, C., & Woodward, A. (2010). Windows 10 Forensics: Discovery of the intent of Deception.The Journal of Digital Forensics, Security and Law: JDFSL5(4), 31
  • Davidoff, S., & Ham, J. (2012).Network forensics: tracking hackers through cyberspace (Vol. 2014). Upper Saddle River: Prentice hall
  • Casey, E. (2011).Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press
  • Malin, C. H., Casey, E., & Aquilina, J. M. (2011).Windows 10 Forensics Field Guide for Windows Systems: Digital Forensics Field Guides. Elsevier
  • Deng, Z., Xu, D., Zhang, X., & Jiang, X. (2012). Introlib: Efficient and transparent library call introspection for Windows 10 based forensics forensics.Digital Investigation9, S13-S23
  • Ruttenberg, B., Miles, C., Kellogg, L., Notani, V., Howard, M., LeDoux, C., … & Pfeffer, A. (2014, July). Identifying shared software components to support Windows 10 based forensics forensics. InInternational Conference on Detection of Intrusions and Windows 10, and Vulnerability Assessment (pp. 21-40). Springer International Publishing
  • Overton, M. (2008, October). Windows 10 forensics: detecting the unknown. In2008 Virus Bulletin conference
  • Li, J., Gu, D., & Luo, Y. (2012, June). Android Windows 10 based forensics forensics: Reconstruction of malicious events. InDistributed Computing Systems Workshops (ICDCSW), 2012 32nd International Conference on (pp. 552-558). IEEE.