Once intruders have successfully gained Administrator access on a system, they will try to cover the detection of their presence.
When all the information of interest has been stripped from the target, they will install several back doors so that easy access can be obtained in the future.
Erasing evidence of a compromise is requirement for any attacker who would like to remain obscure. This usually starts with erasing the contaminated logins and any possible error messages that may have been generated from the attack process. For example, a buffer overflow attack will usually leave a message in the system logs. Next, the attention is turned to effecting changes so that future logins are not logged. A good way of ensuring that the system administrator continues to believe the output of his system is to manipulate the event logs and tweak the audit system.
Because the first thing a system administrator does to monitor unusual activity is to check the system log files, it is very common for intruders to use a utility to modify the system logs. In some extreme cases, rootkits can disable logging all together and discard all existing logs. This happens if the intruders intend to use the system for a longer time as a launch base for future intrusion activity. Then they will only remove those portions of logs that can reveal their presence.
- First thing intruders will do after gaining Administrator privileges is to disable auditing.
- NT Resource Kit's auditpol.exe tool can disable auditing using command line.
- At the end of their stay, the intruders will just turn on auditing again using auditpol.exe
One of the first steps for an attacker who has command-line capabilities is to determine the auditing status of the target system, locate sensitive files (such as password files), implant automatic information gathering tools (such as a Keyboard Logger or Network Sniffer). |
Windows auditing records certain events to the Event Log (or associated syslog). The log can be set to send alerts (email, pager, etc) to the system administrator. Therefore, the attacker will want to know the auditing status.
auditpol.exe is a part of the NT resource kit and can be used as a simple command line utility to find out the audit status of the target system and also to make changes to it.
The attacker will need to have the utility installed in the WINNT directory. He can then establish a null session to the target machine and run the command:
C:\> auditpol \\
This will reveal the current audit status of the system. He can choose to disable the auditing by:
C :\> auditpol \\ /disable
This will make changes in the various logs that might register his actions. He can choose to hide the registry keys changed later on.
There is no effective technique to lock the auditing to prevent auditpol from disabling it. However, one can make it a scheduled event which will make the system check for the status of the auditing and then turns it on if it is disabled. Most host based IDS products will automatically re-enable auditing if it has been turned off.
There are a number of reasons why auditing is important. These include:
- Successful attacks often preceded by a series of unsuccessful ones.
- Detecting an attack in its early phase can contain damage.
- Recovery often depends on realistic damage assessment.
- Auditing and intrusion detection helps determine causal factors/people for the attack.
- Assessing network compromise is dependant on auditing as well. One of the main goals of auditing is to identify the actions taken by attackers on your network. An attacker may attempt to compromise multiple computers and devices on the network.
- Intruders can easily wipe out the logs in the event viewer
- Event viewer on the attackers host can open, read and clear logs of the remote host.
- This process will clear logs of all records but will leave one record stating that the event log has been cleared by 'Attacker'
The event-logging service controls whether events are tracked on Windows 2000 systems. When this service is started, user actions and system resource usage events with the following event logs can be tracked:
|
In the Security Log, always check on event IDs 529 "Unknown user or bad password," 680 "Account logon," and 517 "Security Log Cleared.
Dump Event Log is a command-line tool, included in the Windows 2000 Server Resource Kit. It will dump an event log for a local or remote system into a tab separated text file. This file can then be imported into a spreadsheet or database for further investigation. The tool can also be used to filter for or filter out certain event types. |
The following syntax is used by the dumpel.exe tool:
dumpel -f file [-s \\server] [-1 log [-m source]] [-e n1 n2 n3...] [-r] [-t] [-d x] Where:
-f file. Specifies the file name for the output file. There is no default for -f, so you must specify the file.
-s server. Specifies the server for which you want to dump the event log. Leading backslashes on the server name are optional.
-1 log. Specifies which log (system, application, security) to dump. If an invalid log name is specified, the application log is dumped.
-m source. Specifies in which source (such as redirector (rdr), serial, and so on) to dump records. Only one source can be supplied. If this switch is not used, all events are dumped. If a source is used that is not registered in the registry, the application log is searched for records of this type.
-e n1 n2 n3. Filters for event ID nn (up to 10 can be specified). If the -r switch is not used, only records of these types are dumped; if -r is used, all records except records of these types are dumped. If this switch is not used, all events from the specified source name are selected. You cannot use this switch without the -m switch.
-r. Specifies whether to filter for specific sources or records, or to filter them out.
-t. Specifies that individual strings are separated by tabs. If -t is not used, strings are separated by spaces.
-d x. Dumps events for the past x days.
An attacker would be interested in clearing the event log after the audit has been disabled using auditpol.exe. One tool that will be of interest is elsave.exe Written by Jesper Lauritsen, this tool helps clear NT event log. |
ELSave takes the following arguments:
-s \\server | Server for which you want to save or clear the log. |
-F file | Save the log to a file with this name. Must be an absolute path to a local file on the server specified with -s. If -F is not specified the log is not saved. |
-l log | Name of log to save or clear. Must be one of system, application or security. Default is application. |
-q | Write errors and warnings to the application event log. Default is to write errors to stderr. This option is mostly useful when ELSave is run in the background, like for example from the scheduler. |
-C | Clears the log. If -C is not specified the log is not cleared. |
Example:
Save the application log on \\serv1 to \\serv1\d$\application.log:
elsave -s \ \serv1 -F d: \application.log
Save the system log on the local machine to d: \system.log and then clear the log:
elsave -l system -F d: \system.log -C
- Wizapper is a tool that an attacker can use to erase event records selectively from the security log in Windows 2000.
- To use the program, the attacker runs winzapper.exe and marks the event records to be deleted, then he presses 'delete events' and 'exit'. Presto the events disappear.
- To sum things up: after an attacker has gained Administrators access to the system, one simply cannot trust the security log!
It is considered that event logs are generally not compromised without shutting the service down by legitimate means or otherwise. WinZapper is a tool that is capable of breaking into the event logging system without shutting it off or crashing the service.
- Evidence Eliminator is an easy to use powerful and flexible data cleansing system for Windows PC.
- Daily use protects you from unwanted data becoming permanently hidden in your PC.
- It cleans recycle bins, Internet cache, system files, temp folders etc.
Evidence Eliminator is a windows based product that is known for countering privacy invasion and giving the user the ability to remove evidence of his activities on a system - such as websites visited, cookies stored, documents read etc.
- There are two ways of hiding files in NT/2000.
- Attrib
- use attrib +h [file/directory]
-
- NTFS Alternate Data Streaming
- NTFS files system used by Windows NT, 2000 and XP has a feature Alternate Data Streams - allow data to be stored in hidden files that are linked to a normal visible file.
-
Streams are not limited in size and there can be more than one stream linked to a normal file. -
Every file consists of a set of attributes. However, a file's name is not part of the file. The filename is a directory entry that points to the actual file. This level of indirection is necessary because Windows 2000 and Windows NT both support links. The directory entry can be considered to be analogous to a pointer - the unique filename and directory entry tells the file system which file to access. It is possible to have more than one pointer that points to the same data.
0 comments:
Post a Comment