Windows logs

In a Windows operating system, the most relevant security-related logs are accessible via Event Viewer. In Chapter 13, Investigating an Incident, we spoke about the most common events that should be reviewed during an investigation. While the events can be easily located in Event Viewer, you can also obtain the individual files at WindowsSystem32winevtLogs, as shown in the following screenshot:

However, log analysis in an operating system is not necessarily limited to the logging information provided by the OS, especially in Windows. There are other sources of information that you could use, including prefetch files (Windows Prefetch). These files contain relevant information regarding process execution. They can be useful when trying to understand if a malicious process was executed and which actions were done by that first execution.

In Windows 10, you also have OneDrive logs (C:Users<USERNAME>AppDataLocalMicrosoftOneDrivelogs), which can be useful. If you are investigating data extraction, this could be a good place to look to verify if any wrongdoing was carried out. Review the SyncDiagnostics.log for more information.

To parse Windows Prefetch files, use this Python script at //github.com/PoorBillionaire/Windows-Prefetch-Parser.

Another important file location is where Windows stores the user mode crash dump files, which is C:Users<username>AppDataLocalCrashDumps. These crash dump files are important artifacts that can be used to identify potential malware in the system.

One common type of attack that can be exposed in a dump file is the code injection attack. This happens when there is an insertion of executable modules into running processes or threads. This technique is mostly used by malware to access data and to hide or prevent its removal (for example, persistence). It is important to emphasize that legitimate software developers may occasionally use code injection techniques for non-malicious reasons, such as modifying an existing application.

To open these dump files you need a debugger, such as WinDbg (http://www.windbg.org) and you need the proper skills to navigate through the dump file to identify the root cause of the crash. If you don't have those skills, you can also use Instant Online Crash Analysis (http://www.osronline.com).

The results that follow are a brief summary of the automated analyses from using this online tool (the main areas to follow up are in bold):

TRIAGER: Could not open triage file : e:dump_analysisprogramtriageguids.ini, error 2 
TRIAGER: Could not open triage file : e:dump_analysisprogramtriagemodclass.ini, error 2 
GetUrlPageData2 (WinHttp) failed: 12029. 
*** The OS name list needs to be updated! Unknown Windows version: 10.0 *** 
 
FAULTING_IP:  
eModel!wil::details::ReportFailure+120 
00007ffe`be134810 cd29            int     29h 
 
EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff) 
ExceptionAddress: 00007ffebe134810 (eModel!wil::details::ReportFailure+0x0000000000000120) 
ExceptionCode: c0000409 (Stack buffer overflow)
ExceptionFlags: 00000001 
NumberParameters: 1 
Parameter[0]: 0000000000000007 

PROCESS_NAME: MicrosoftEdge.exe

EXCEPTION_CODE: (NTSTATUS) 0xc0000409

The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000007 
 
NTGLOBALFLAG:  0 
 
APPLICATION_VERIFIER_FLAGS:  0 
 
FAULTING_THREAD:  0000000000003208 
 
BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SEHOP 

PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_SEHOP


DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_SEHOP 
 
LAST_CONTROL_TRANSFER:  from 00007ffebe1349b0 to 00007ffebe134810 
 
STACK_TEXT:   
000000d4`dc4fa910 00007ffe`be1349b0 : ffffffff`ffffffec 00007ffe`df5e0814 000000d4`dc4fc158 000002bb`a1d20820 : eModel!wil::details::ReportFailure+0x120 
000000d4`dc4fbe50 00007ffe`be0fa485 : 00000000`00000000 00007ffe`df5ee52e 000002bb`ac0f5101 00007ffe`be197771 : eModel!wil::details::ReportFailure_Hr+0x44 
000000d4`dc4fbeb0 00007ffe`be0fd837 : 000002bb`ab816b01 00000000`00000000 00000000`00010bd8 000002bb`00000000 : eModel!wil::details::in1diag3::FailFast_Hr+0x29 
000000d4`dc4fbf00 00007ffe`be12d7dd : 00000000`00010bd8 00000000`00000000 00000000`80070001 000000d4`dc4ffa60 : eModel!FailFastOnReparenting+0xf3 
000000d4`dc4ffc00 00007ffe`be19e5b8 : 000002bb`ab816b20 00000000`00000000 00000000`00000000 000002bb`a16b7bb8 : eModel!SetParentInBrokerInternal+0x40b5d 
000000d4`dc4ffc40 00007ffe`be19965c : 00000000`00000000 000002bb`ac0f51f0 000002bb`ac0f51f4 000002bb`ac0f50c0 : eModel!CTabWindowManager::_AttemptFrameFastShutdown+0x118 
000000d4`dc4ffc90 00007ffe`be19634e : 000002bb`c0061b00 000000d4`dc4ffd00 00007ffe`be0a9e00 00000000`00000001 : eModel!CTabWindowManager::CloseAllTabs+0x6c 
000000d4`dc4ffcd0 00007ffe`be114a0b : 00000000`00000000 00007ffe`be0a9ed0 000002bb`c0061b00 000002bb`c0061b00 : eModel!CBrowserFrame::_OnClose+0x106 
000000d4`dc4ffd50 00007ffe`be07676e : 00000000`00000000 00000000`00000000 00000000`00000000 000002bb`c00711f0 : eModel!CBrowserFrame::FrameMessagePump+0x6e63b 
000000d4`dc4ffe30 00007ffe`be076606 : 000002bb`00032401 000002bb`c0061b00 000000d4`dc4fff50 000002bb`c00711f0 : eModel!_BrowserThreadProc+0xda 
000000d4`dc4ffeb0 00007ffe`be0764a9 : 00000000`00000001 000002bb`c0071218 000000d4`dc4fff50 00000000`00000000 : eModel!_BrowserNewThreadProc+0x56 
000000d4`dc4ffef0 00007ffe`dea68364 : 000002bb`aae03cd0 00000000`00000000 00000000`00000000 00000000`00000000 : eModel!SHOpenFolderWindow+0xb9 
000000d4`dc4fff60 00007ffe`e13470d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14 
000000d4`dc4fff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

In this crash analysis done by Instant Online Crash Analysis, we have an overrun of a stack-based buffer in Microsoft Edge. Now, you can correlate this log (the day that the crash occurred) with other information available in Event Viewer (security and application logs) to verify if there was any suspicious process running that could have potentially gained access to this application. Remember that, in the end, you need to perform data correlation to have more tangible information regarding a specific event and its culprit.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.116.146