Read the original article: Using Real-Time Events in Investigations
To understand what a threat actor did on a Windows system, analysts
often turn to the tried and true sources of historical endpoint
artifacts such as the Master File Table (MFT), registry hives, and
Application Compatibility Cache (AppCompat). However, these evidence
sources were not designed with detection or incident response in mind;
crucial details may be omitted or cleared through anti-forensic
methods. By looking at historical evidence alone, an analyst may not
see the full story.
Real-time events can be thought of as forensic artifacts
specifically designed for detection and incident response, implemented
through Enterprise Detection and Response (EDR) solutions or enhanced
logging implementations like Sysmon.
During active-attacker endpoint investigations, FireEye Mandiant
has found real-time events to be useful in filling in the gaps of what
an attacker did. These events record different types of system
activities such as process execution, file write activity, network
connections, and more.
During incident response engagements, Mandiant uses FireEye
Endpoint Security to track endpoint system events in real-time.
This feature allows investigators to track an attacker on any system
by alerting on and reviewing these real-time events. An analyst can
use our solution’s built-in Audit Viewer or Redline to review
real-time events.
Let’s look at some examples of Windows real-time events available on
our solution and how they can be leveraged during an investigation.
Let’s assume the account TEST-DOMAIN\BackupAdmin was an inactive
Administrator account compromised by an attacker. Please note the
examples provided in this post are based on real-time events observed
during engagements but have been recreated or altered to preserve
client confidentiality.
Process Execution Events
There are many historical process execution artifacts including AppCompat,
AmCache,
WMI
CCM_RecentlyUsedApps, and more.
A single artifact rarely covers all the useful details relating to a
process’s execution, but real-time process execution events change
that. Our solution’s real-time process execution events record
execution time, full process path, process identification number
(PID), parent process path, parent PID, user, command line arguments,
and even the process MD5 hash.
Table 1 provides an example of a real-time process execution event
recorded by our solution.
|
Field |
Example |
|
Timestamp (UTC) |
2020-03-10 16:40:58.235 |
|
Sequence Number |
2879512 |
|
PID |
9392 |
|
Process Path |
C:\Windows\Temp\legitservice.exe |
|
Username |
TEST-DOMAIN\BackupAdmin |
|
Parent PID |
9103 |
|
Parent Process Path |
C:\Windows\System32\cmd.exe |
|
EventType |
Start |
|
ProcessCmdLine |
"C:\Windows\Temp\legitservice.exe" |
|
Process MD5 Hash |
a823bc31395539816e8e4664e884550f |
Table 1: Example real-time process execution event
Based on this real-time process execution event, the process C:\Windows\System32\cmd.exe with PID 9103 executed
the file C:\Windows\Temp\legitservice.exe
with PID 9392 and the MD5 hash a823bc31395539816e8e4664e884550f. This new process
used the command line arguments -b -m under the user context of TEST-DOMAIN\BackupAdmin.
We can compare this real-time event with what an analyst might see
in other process execution artifacts. Table 2 provides an example
AppCompat entry for the same executed process. Note the recorded
timestamp is for the last modified time of the file, not the process
start time.
|
Field |
Example |
|
File Last |
2020-03-07 23:48:09 |
|
File Path |
C:\Windows\Temp\legitservice.exe |
|
Executed Flag |
TRUE |
Table 2: Example AppCompat entry
Table 3 provides an example AmCache entry. Note the last modified
time of the registry key can usually be used to determine the process
start time and this artifact includes the SHA1 hash of the file.
|
Field |
Example |
|
Registry Key |
2020-03-10 16:40:58 |
|
File Path |
C:\Windows\Temp\legitservice.exe |
|
File Sha1 Hash |
2b2e04ab822ef34969b7d04642bae47385be425c |
Table 3: Example AmCache entry
Table 4 provides an example Windows Event Log process creation
event. Note this artifact includes the PID in hexadecimal notation,
details about the parent process, and even a field for where the
process command line arguments should be. In this example the command
line arguments are not present because they are disabled
by default and Mandiant rarely sees this policy enabled by
clients on investigations.
|
Field |
Example |
|
Write Time (UTC) |
2020-03-10 16:40:58 |
|
Log |
Security |
|
Source |
Microsoft Windows security |
|
EID |
4688 |
|
Message |
A new process has been created.
Creator Subject:
Target Subject:
Process Information: |
Table 4: Example Windows event log process
creation event
If we combine the evidence available in AmCache with a fully
detailed Windows Event Log process creation event, we could match the
evidence available in the real-time event except for a small
difference in file hash types.
File Write Events
An attacker may choose to modify or delete important evidence. If an
attacker uses a file shredding tool like Sysinternal’s SDelete, it is
unlikely the analyst will recover the original contents of the file.
Our solution’s real-time file write events are incredibly useful in
situations like this because they record the MD5 hash of the files
written and partial contents of the file. File write events also
record which process created or modified the file in question.
Table 5 provides an example of a real-time file write event recorded
by our solution.
|
Field |
Example |
|
Timestamp (UTC) |
2020-03-10 16:42:59.956 |
|
Sequence Number |
2884312 |
|
PID |
9392 |
|
Process Path |
C:\Windows\Temp\legitservice.exe |
|
Username |
TEST-DOMAIN\BackupAdmin |
|
Device Path |
\Device\HarddiskVolume2 |
|
File Path |
C:\Windows\Temp\WindowsServiceNT.log |
|
File MD5 Hash |
30a82a8a864b6407baf9955822ded8f9 |
|
Num Bytes Seen Written |
8 |
|
Size |
658 |
|
Writes |
4 |
|
Event reason |
File closed |
|
Closed |
TRUE |
|
Base64 Encoded |
Q3JlYXRpbmcgJ1dpbmRvd3NTZXJ2aWNlTlQubG9nJy |
|
Text At Lowest Offset |
Creating ‘WindowsServiceNT.log’ logfile : |
Table 5: Example real-time file write event
Based on this real-time file write event, the malicious executable
C:\Windows\Temp\legitservice.exe wrote the
file C:\Windows\Temp\WindowsServiceNT.log to
disk with the MD5 hash 30a82a8a864b6407baf9955822ded8f9. Since the
real-time event recorded the beginning of the written file, we can
determine the file likely contained Mimikatz credential harvester
output which Mandiant has observed commonly starts with OK….mimikatz.
If we investigate a little later, we’ll see a process creation event
for C:\Windows\Temp\taskassist.exe with the
MD5 file hash 2b5cb081721b8ba454713119be062491 followed by
several file write events for this process summarized in Table 6.
|
Timestamp |
File Path |
File Size |