Make ETW Great Again. - Ruxcon ETW Great Again – Ruxcon 2016 • Built-in, general purpose,...
Transcript of Make ETW Great Again. - Ruxcon ETW Great Again – Ruxcon 2016 • Built-in, general purpose,...
MakeETWGreatAgain.
BenLelonekNateRogers
ExploringsomeofthemanyusesofEventTracingforWindows(ETW)
CyberPointisacybersecuritycompany.We’reinthebusinessofprotecEngwhat’sinvaluabletoyou.
WhoWeAre
Nate“MillionDollars”Rogers• CyberPointInterna6onal
– SecurityResearchTeamLead• StudentatNYU• Previously:
– eEyeDigitalSecurity• TwiEer:
– @Conjectural_Hex
Ben“TexasDirt”Lelonek• CyberPointInterna6onal
– SecurityResearchTeam/Developer
• StudentatUMBC
MakeETWGreatAgain–Ruxcon2016
CyberPointSecurityResearchTeam• www.cyberpointllc.com/srt• [email protected]• @CyberPoint_SRT
Whatwe’regoingtobetalkingabout.
MakeETWGreatAgain–Ruxcon2016
• WhatisETW• QuickOverviewofETW• UsageExamples• PublicUsesandResearch• ETWforMalwareDetec6on• ETWforRedTeam• Mi6ga6ons• Ques6ons
WhatisEventTracingforWindows(ETW)?
MakeETWGreatAgain–Ruxcon2016
• Built-in,generalpurpose,logginganddiagnos6cframework
• Efficient:highspeed,lowoverhead
• Dynamicallyenabledordisabled
• Logtofileorconsumeinreal6me
• Usedforperformanceanalysisandgeneraldebugging
• Exampleusage– GoogleChrome
• Performanceanalysis&profiling• UIforETW
Source:
h*ps://msdn.microso3.com/en-us/windows/hardware/commercialize/test/weg/weg-performance
QuickOverviewofETW
MakeETWGreatAgain–Ruxcon2016
• FirstintroducedinWindows2000• GreatlyexpandedinVista
– Newmanifest-basedprovidersandlogginginmorethanjustthekernel
– MoreineachOSsince• EaseofuseimprovedwitheachOS
– Windows2000–MOFclassesandWMI– WindowsVista–XMLManifests– Windows8/.NET4.5–EventSource(C#)– Windows10–TraceLogging
3 3
431
656
9561052
0
200
400
600
800
1000
1200
Windows2000
WindowsXP
WindowsVista
Windows7Windows8.1
Windows10
ProvidersbyWindowsVersion
HowtoViewETWEvents
MakeETWGreatAgain–Ruxcon2016
• API– Lesscommonlyused,focusofourwork– Microsol.Diagnos6cs.Tracing.TraceEvent.dll– C/C++/C#/etc
• CommandLine/Applica6ons– Morecommonlyused– Built-in:Logman,TraceRpt,EventViewer,PerformanceMonitor,wevtu6l– Installable:Xperf,PerfView,Netmon,MicrosolMessageAnalyzer,WindowsPerformanceAnalyzer
• PerfViewexample…
ViewingETWEvents–PerfView
MakeETWGreatAgain–Ruxcon2016
TeslacryptreadingfilesinSystem32
ETWExampleProviders
MakeETWGreatAgain–Ruxcon2016
• Lis6ngproviders
• Lis6ngrunningsessions
UsingETW
MakeETWGreatAgain–Ruxcon2016
• ETWEventsarehandledAsynchronously– System/Applica6onwritesthemtothekernel– Consumersmustestablishasessionandsubscribetogetdata
• TypicalETWStructure– C/C++:EVENT_HEADER,EVENT_RECORD,EVENT_TRACEstructuresandtracedatahelper(TDH)func6ons
– C#:TraceEventobject,PayloadStringByName()• Mechanism
– OS-sideimplementa6ondetailsnotpubliclyavailable– CallbacksfromtheOS
• EventsCanbeCollectedRemotely– ConfiguredviaWMI,Powershell– Collectormachinepullsdatafromworkers
TraceEventobject
MakeETWGreatAgain–Ruxcon2016
TONSofinforma6on!
UsingETWAPI(C#)
MakeETWGreatAgain–Ruxcon2016
ExampleSimpleUACEventListener• Extremelyeasytoimplement
Great,sowhatdoesthishavetodowithsecurity?
MakeETWGreatAgain–Ruxcon2016
• ExtensiveIntegra6onwithWindows– MuchoftheWindowsAPIlogstoETW– VastamountofWindowsSubsystemshaveproviders– Canbeusedtocollectinforma6onforbothaEackers&defenders/auditors
• UniversallyDeployedinWindows– Exists(insomeform)ineveryversionsinceWindows2000– Dataproviderenabledondemand– Hugepoten6alforabuse
• We’llgetbacktothislater…
– Greatpoten6alfordefensiveapplica6ons/research• Lotsofpoten6aldatapointsforcollec6on/heuris6cs
– process,.NET/CLR,Kernel,IO,Files,Memory,UAC,Logins,Crypto,Firewall,SMB,TCPIP,MANYmore…
• Someexamples/toolsexistbutcanbeimproved
PublicUsesandResearch
• Defensive– DataMiningHeuris6cs
• Collec6ngETWlogstodetectmalware
– Ransomwaredetec6on(notETW)• TrackfileIO/handles
– Similartoourtechnique(nextslide)
– Usesdriver
• Offensive– Persistence
• ETWtriggeringserviceexecu6on
– Packetcapture• logman/netshforcapturingnetworktraffic
– “SSLSidejacking”/CookieStealing• ETWlistenerforWinINetcansnoopontraffic(evenSSL/TLS)
MakeETWGreatAgain–Ruxcon2016
ETWMalwareDetecEon:RoomforImprovement
MakeETWGreatAgain–Ruxcon2016
• FewmalwareETWtools– Exis6ngtechniquesalluseexternalEXEs
• Logman.exe,wevtu6l.exe,PerfView,etc.• Olenfocusonnetworktraffic(!Ransomware)
– Can’tparsein“real”6me• Mustlogtodiskthenparse
• RansomwareETWsolu6ons?– Virtuallynone
• Goals:– Morelightweight(lessoverhead)solu6onswouldbeop6mal
– Na6veETWAPI• Standalonebinarywithnodependencies
– Sta6cANDDynamic• DetectRansomwareinreal6me• Alsosupportcaptures(.etl)
DetecEngRansomware–OurApproach
MakeETWGreatAgain–Ruxcon2016
ClassifyandDisEllRansomwareBehavior• Iteratefiles
– Extensionbased,loca6onbased,etc.• Read/wri6ngtofiles
– access6mes,crea6on6mes,differentsizes(readvs.write),loca6on
• Encryp6on– AES,custom,GOST,RSA,Blowfish,TripleDES,XOR,RC4,Salsa20,TEA,zip,rar,etc.
• Move/Rename/Copy/Delete– Manydifferentwaystodealwith“original”file
DetecEngRansomware–OurApproach(cont.)
MakeETWGreatAgain–Ruxcon2016
IsgeneralizaEonofbehaviorpossibleforallsamples?• ReadthenWrite
– Yes,butvaries…– Lotsoffalseposi6ves– TimingThreshold?
• accountforOSdelays,itera6ons,etc.• FileSizeDelta?
– Encryptedfilevs.original– Differentencryp6on,IVs,etc.,addsize!– Sizesdeltasvary
• Lotsoffalseposi6vesinbenignprocesses• FileNameChanges
– Originalfilenamevs.Encrypted– Originalisinencryptedname(insomeform)
• Almostalways• Encryp6on
– Toomuchvarianceforgenericrule
DetecEngRansomware–OurApproach(cont.)
MakeETWGreatAgain–Ruxcon2016
• GenericDetec6onAlgorithm– Trackwritestofilesthatwerepreviouslyread
• MustbethesamePID• Mustbewithin6methreshold80ms
– Highestaverage~49ms(Nanolocker)• Mustbewithinsizedeltathreshold1024bytes
– Higherthanneededformalware– Browsercachesandtempfiles
– IfabovecriteriaismetincrementSuspiciousEventcounter• SuspiciousEventCounter=3
– Filterfalseposi6ves• tempfiles,caching,windowssearch,etc.
PID Time Size Suspicious!
DetecEngRansomware–OurApproach(cont.)
MakeETWGreatAgain–Ruxcon2016
• Whichproviderisneeded?– “WindowsKernel”– Canuseothersbutnotnecessary
• Whatdataisneededfromprovider?– “TypeField”
• “FileIOReadWriteTraceData”• Mul6pleEventTypes
– EventName• “FileIO/Write”• “FileIO/Read”
– “OpCode”• Sub-typesknowasOpCodes• representedwithINTandASCIIname
– OpcodeNames:“Read”,“Write”– OpcodeValues:0x67,0x68
Whatcanwedetect?
MakeETWGreatAgain–Ruxcon2016
• EVERYTHING!(Thatwetested.)
• Specifically,cerber,chimera,ctb-locker,locky,hydracrypt,jigsaw,lockscreen,mobef,radamant,samsam,shade,teslascrypt,torrentlocker,trucrypter,7ev3n,coverton,kimcilware,petya
• Genericallydetectedallsamples
• Eventhosewith(relaCvely)lowdetec6onsonVirusTotal
• TorrentLocker:
ETW&RansomwareDetecEonLimitaEons
MakeETWGreatAgain–Ruxcon2016
• NotPerfect– Needsatleast3filestobeencryptedtobeeffec6ve
• DynamicCapturescanbedelayed– Variesgreatly– Dependsonnumberofconsumedevents,systemac6vity,etc.– Usuallysmalldelay
• HardtoHideSessionsfromMalwareandAEacker– Easyformalwaretoseewho’s“listening”
• Trivialtoaccess...
MalwareDetecEonofETW
MakeETWGreatAgain–Ruxcon2016
HoweasilycanaEackers“see”ETW?• An6-Analysis?• Easytoseesessions–logman.exe,C#API• NoBaselineofsessionsorproviders
– Whicharegood?Whicharebad?
Tonsofpoten6alETWproviders!• Someusesareobvious
– Winlogin,SCM,WLAN,WMI,Firewall,UAC,TCPIP,TaskScheduling,SMB,SmartCards,TerminalServices,Powershell,Loca6on,KernelResources/Events,IPSEC,FileHistory/FileManage,DNS/DHCPClient,BlueTooth,Bits,BitLocker,Cryptography,An6malware,LsaSrv,SAM,Ac6veDirectory
• SomearealiEleless...– Microsol-Windows-Bluetooth-HidBthLE– Microsol-Windows-USB-UCX– Microsol-Windows-WinINet– Etc….
MosthaveGoodPoten6al• Allrequirecloserinspec6onbeforeuse
– Somemorethanothers(USB)• LotsofMetadata
– Mustbefilteredout
ETWProvidersforRedTeam
MakeETWGreatAgain–Ruxcon2016
USBKeyLoggingwithETW
MakeETWGreatAgain–Ruxcon2016
• Mo6va6on– USBkeyloggingdiscussedbutnotoolsexist– APIbased,nodependencies
• Noneedtologtodiskfirst• More“tac6cal”solu6on
• ETWisVERBOSE,especiallywithUSB-UCXData
– ETWprovidesRAWUSBdata– Requiresweparseitourselves– USBKeyboardspoll
• Senddataregardlessofkeypress• Pollrate:125Hz=8ms
• Providers
– Microsol-Windows-USB-UCX-{36DA592D-E43A-4E28-AF6F-4BC57C5A11E8}– Microsol-Windows-USB-USBPORT-{C88A4EF5-D048-4013-9408-E04B7DB2814A}
• Pros
– ETWisINTENDEDfunc6onality(debugging)– NewTechnique.NoAVcoverage…yet– Cancapturekeystrokeswhencomputerislocked!
• Cons– Real6meETWcapturescanhavedelays– Requiresadmin
Microso_MessageAnalyzerFTW!
MakeETWGreatAgain–Ruxcon2016
• MicrosolMessageAnalyzer(MMA)GREATLYreducedthe“noise”onthewire• ExcellenttoolforUSB,generalETWtroubleshoo6ng• DoesmostUSB/ETWparsingforyou– Fromthis...
– Tothis!
DataexistsinETWtracessoMicrosol’sTraceEventlibrarycaneasilyretrievedesiredvalues.Sosimple,right?!
ActuallyParsingEvents
MakeETWGreatAgain–Ruxcon2016
• UnfortunatelyTraceEventisn’tperfect– TraceEventreturnsanemptybyte[]withthexferData
• Weknowdataisthere– MMA&Xperf,etc(previousslide)
• HadtodumpthewholeETWpayloadandparseourselves– JusttakesaliEleextrawork...
QuickNoteSniffingUSB
MakeETWGreatAgain–Ruxcon2016
Whattodowiththedata?– Datablobsrepresentrawbytesonthewire+ETWheaders
• StripoffETWandparsereamingdata• RemainingdataisUSBRequestBlock(URB)
– Datafromdevicesmustbeprocessedbydrivers• Usbxhci.sys->Ucx01000.sys->USBhub3.sys(USB3)• WecancheatusingETWheaders!
– HumanInterfaceDevice(HID)datainURB_FUNCTION:_URB_BULK_OR_INTERRUPT_TRANSFER
Source:h*ps://msdn.microso3.com/en-us/library/windows/hardware/dn741264(v=vs.85).aspx
FilteringandParsingEvents
MakeETWGreatAgain–Ruxcon2016
TurnRawDatainHIDdata• FindUSBRequestBlocks(URBs)ofinterest
– UCX_URB_BULK_OR_INTERRUPT_TRANSFER– “payload”:TransferBuffer
• FindCorrectpayloadsize– fid_URB_TransferDataLength
• KeyboardHIDpackets=8bytes• MouseHIDpayload=4bytes
• GetData!– fid_URB_TransferData
USBHIDUsageTables
MakeETWGreatAgain–Ruxcon2016
• fid_URB_TransferData– “Payload”fromHIDdata=keystroke
• PayloadisthenmappedtoHIDspec
ActuallyParsingETWUSBEventsinC#
• UseETWtofindcorrectURB– UCX_URB_BULK_OR_INTERRUPT_TRANSFER
• UseETWtoselectpayloadsizeforkeyboards– TransferBufferLength
• ManuallypopulatexferDatawithURBpayload
MakeETWGreatAgain–Ruxcon2016
MakeETWGreatAgain–Ruxcon2016
(ADEMO)
DetecEngETWUSBAbacks
MakeETWGreatAgain–Ruxcon2016
• Monitorforuse– Microsol-Windows-USB-UCX(USB3)– Microsol-Windows-USB-USBPORT(USB2)– Poten6alFalsePosi6ves?
• SuspiciousETWsessions– Nobaselineof“trustedsessions”
• SessionscanbeoverwriEen!– EverythingbutReal-6mesessions– Stopsprevioussession.Notrestarted
DetecEngETWUSBAbacks(cont.)
MakeETWGreatAgain–Ruxcon2016
• Logmanisyourfriend!– Listalldetailsforasession
ETWUSBKeyloggerLimitaEons
MakeETWGreatAgain–Ruxcon2016
• USB…– Nolaptopsupport(PS/2)– Windows11?!– Kidding,butwhoknows?
• Windows7+– Windows7:USB2only– USB3Provider(UCX)notintroducedun6lWindows8
• Requiresadmin(UAC)• PerformanceIssues?
– “Real-6me”filteringandcapturingcandropevents– Haven’tseenthisoccurinour(limited)tes6ng
IEInfoLeak
MakeETWGreatAgain–Ruxcon2016
• Microsol-Windows-WinINet– AlldatathatpassesthroughtheWinINetlibrary
• HTTPandHTTPS
• Noneedtoinjectintobrowserprocess• WorksevenwhensiteusesHTTPS• Mostprivateinforma6onexposed
– URLsvisited(recon)– Cookies(sessionhijacking)– POSTparameters(credenCalstealing)
• WorksonIE,Edge,manyWindows10Apps,andanyprogramusingWinINetforHTTPrequests
• Similartechniqueusinglogman/wevtu6l– hEp://securityweekly.com/2012/07/18/post-exploita6on-recon-with-e/– Requireswri6ngtodiskandparsinginseparatesteps
Windows10StoreApplicaEonLeaks
MakeETWGreatAgain–Ruxcon2016
• Fullleaks– Plain-textpasswordloggedtoETW
• Par6alleaks– OAuth2.0orhashing/encryp6ngpassword– Allowsforhijacksessioncookies/headers
• AffectedApplica6ons– MostL– Categories
• Entertainment• Financialins6tu6ons• WindowsStoreandotherbuilt-inapps• Socialmedia• EmailProviders• E-Retailers• More….
• Noleaks
Outof15testedApplica6ons:4FullLeaks9ParCalLeaks2NoLeaks
Microso_-Windows-WinINet
MakeETWGreatAgain–Ruxcon2016
Eventtypes(availableaskeywordsforfiltering,i.e.WININET_KEYWORD_HANDLES)• HandleEvents–crea6onanddestruc6onofHINTERNEThandles• HTTPEvents–processingofHTTPrequestsandresponses• Connec6onEvents–underlyingnetworkopera6ons(TCP,DNS)• Authen6ca6onEvents• HTTPSEvents• AutoproxyEvents• CookieEvents• WININET_KEYWORD_PII_PRESENT–keywordforeventsofmul6pletypespoten6allycontainingpersonallyiden6fiableinforma6on
Usefuleventnames• WININET_COOKIE_STORED,Wininet_UsageLogRequest,WININET_HTTP_REQUEST_HANDLE_CREATED,WININET_REQUEST_HEADER,WININET_REQUEST_HEADER_OPTIONAL,WININET_RESPONSE_HEADER
LoggingintoGmail
MakeETWGreatAgain–Ruxcon2016
MakeETWGreatAgain–Ruxcon2016
MiEgaEon(a.k.a.goodadvice)
MakeETWGreatAgain–Ruxcon2016
• Don’tuseIEorEdge– UseChrome,Tor,etc.
• Useastandard(non-admin)useraccount– LeaveUACEnabled– ETWrequiresadmin
• Onlyruntrustedapplica6onsasadmin• MonitorforsessionswithWinINetproviderenabled
Whenusingmessagetracingfeature,messagescarryingsensi6veinforma6onsuchascreden6als,personalinforma6on,etc.maybepersistedtothediskorbeviewedbyanyonewhohasaccesstothesystemeventviewer.Asami6ga6ontothisissue,tracingcanbeenabledbySystemorAdministratorusersonWindows2003andlater.~MSDN
Thanksforcoming!
Specialthanksto– Ruxcon– ChrisSpencer– StanChua– JohnEiben– MarkMcLarnon– AndreProtas
MakeETWGreatAgain–Ruxcon2016
QuesEons?
Blogwww.cyberpointllc.com/srt
Twiber@CyberPoint_SRT
CodeFromourDemos/Research
github.com/CyberPoint/Ruxcon2016ETW
MakeETWGreatAgain–Ruxcon2016
Thanksforcoming!
References
MakeETWGreatAgain–Ruxcon2016
MSDNEventTracing• hEps://msdn.microsol.com/en-us/library/windows/desktop/bb968803(v=vs.85).aspx
USBDeviceClassDefini6onforHumanInterfaceDevices(HID)• hEp://www.usb.org/developers/hidpage/Hut1_12v2.pd
USBtraceswithMicrosolMessageAnalyzer• hEps://msdn.microsol.com/en-us/library/windows/hardware/dn741264(v=vs.85).aspx
Viewing/capturingUSBdata• hEp://www.usblyzer.com/• hEps://www.microsol.com/en-us/download/details.aspx?id=44226
USB/URB• hEp://www.beyondlogic.org/usbnutshell/usb5.shtml• hEps://msdn.microsol.com/en-us/library/windows/hardware/ff538930(v=vs.85).aspx
Ransomwaresamples• hEps://www.virustotal.com/• hEps://cyberpointllc.com/products/darkpoint/index.html
XperfBasics:RecordingaTrace(theeasyway)• hEps://randomascii.wordpress.com/2013/04/20/xperf-basics-recording-a-trace-the-easy-way/
SSLSideJacking• hEp://wiki.securityweekly.com/wiki/index.php/Episode300