In the ever-evolving landscape of cybersecurity, forensic investigators must be equipped with a diverse set of tools and techniques to identify, analyze, and respond to various threats. This blog delves into several advanced methods for detecting malicious activity, focusing on Sysmon Event ID 1, RDP activity hunting, phishing and maldoc detection, and data exfiltration using the $USNJRL.$J file.
1. Sysmon Event ID 1: Process Creation
Sysmon (System Monitor) is a powerful tool that provides detailed information on process creation, network connections, and changes to file creation time, among other data. Sysmon logs, particularly Event ID 1, are invaluable for forensic investigators.
Why Sysmon Event ID 1?
Comprehensive Process Tracking: Every time a process is created, Sysmon logs the event, capturing crucial details such as the process name, command line, and parent process.
Enhanced Visibility: Even if you lack Shimcache or SRUM data, Sysmon’s Event ID 1 can fill the gap by logging all process executions, giving you insight into potential malicious activity.
Example Query: To identify potentially malicious processes executed via Office applications (common in phishing attacks), you can use the following query:
(source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_path:(*winword.exe OR excel.exe OR powerpnt.exe OR mspub.exe OR visio.exe)2. Hunting RDP Activity: Remote Logon Events
Remote Desktop Protocol (RDP) is a common vector for unauthorized access. Monitoring RDP activities is crucial for identifying potential intrusions.
Focus on Logon Events
Event ID 4624: This event logs successful logons, which can be filtered to focus on remote logons (Type 10) with RDP connectivity.
IP Address Filtering: Investigate events where the source IP address is external (i.e., not within the local 10.0.0.0/8 range or localhost 127.0.0.1).
3. Identifying Infection Vectors: Phishing and Maldoc Hunting
Phishing remains a prevalent attack vector, often delivering malicious documents (maldocs) that execute harmful payloads.
Detecting Phishing and Maldocs
Office Applications as Parent Processes: When malware is executed via Office applications like Word or Excel, it’s often a sign of phishing.
Example Query:
(source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_path:(*winword.exe OR excel.exe OR powerpnt.exe OR mspub.exe OR visio.exe)ZIP Files Accessed in Windows: ZIP files are commonly used to deliver malicious payloads in phishing emails. Detecting ZIP files opened from temporary locations can indicate phishing activity.
Example Query:
(source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_command_line:"appdata\\local\\temp\\temp1_*" AND process_parent_command_line.keyword:*temp1_*4. Data Exfiltration Detection: $USNJRL.$J and ZIP Files
One of the key challenges in forensic investigations is detecting data exfiltration. Attackers often compress data into ZIP files before exfiltration. The $USNJRL.$J (Update Sequence Number Journal) file in NTFS can be a goldmine for detecting such activity.
Using MFTECmd to Analyze $USNJRL.$J
Identifying ZIP Files: By parsing the $USNJRL.$J file, you can identify ZIP files created or modified on the system.
Example PowerShell Command:
$usnzip = Import-Csv -Path 'C:\Users\noransom\Desktop\.csv' | ? Extension -eq '.zip'Detecting Deleted ZIP Files: Attackers might delete ZIP files after exfiltration to cover their tracks. However, traces remain in the $USNJRL.$J file.
Example PowerShell Command:
$deleted = $usnzip | ? UpdateReasons -like '*Delete*' $deleted | Format-Table -Property Extension,Name,ParentPath,UpdateReasons -AutoSize5. Additional Techniques for Enhanced Threat Hunting
Credential Reads: Event ID 5379 logs when stored credentials are accessed. Monitoring this event can reveal unauthorized access to sensitive information.
Example Query:
source_name:"Microsoft-Windows-Security-Auditing" AND event_id:5379 AND credentials_read:Microsoft_Windows_Shell_ZipFolder*Outlook Content and Downloads: Detecting file creations within the Outlook cache path can uncover attempts to download and execute malicious attachments.
Example Query:
(source_name:"Microsoft-Windows-Sysmon" AND event_id:11) AND file_name:"microsoft\\windows\\inetcache\\content.outlook\\*"
Reviewing the Trust Center: Microsoft Office applications maintain a Trusted Documents list, which can be used to detect when a user has marked a malicious document as trusted.
Example Query:
(source_name:"Microsoft-Windows-Sysmon" AND event_id:13) AND registry_key_path:("Trusted Documents" OR "TrustRecords")Conclusion
By leveraging the tools and techniques outlined in this blog, forensic investigators can enhance their ability to detect and respond to sophisticated threats. Whether it's hunting for signs of RDP activity, identifying phishing attempts, or detecting data exfiltration, these methods provide a robust foundation for effective threat hunting and incident response.
Akash Patel
Comments