2017-03-28

Windows Event Forwarding & .ETL (ETW)

What’s so useful about ETL (ETW)? 

One of the most useful (.etl) log files is: WMI-Activity/Trace. It is an Event Tracing for Windows (ETW) log which gets written to a ‘.etl’ file. The information inside of this log can be extremely useful to anyone wishing to monitor WMI, as it logs each query, new class, consumer, etc. We touched on this in our recent talk at Bloomcon (https://youtu.be/H3t_kHQG1Js?t=99)
Note: monitor this blog for a future post just about WMI events.

What’s the problem? 

Unfortunately, WEF (Windows Event Forwarding) and many other event forwarding solutions cannot subscribe directly to ‘.etl’ files..). However, the ‘.etl’ file can be read and converted into a channel that WEF can subscribe to. To help facilitate this, I wrote a PowerShell script, and it is available on github (https://github.com/acalarch/ETL-to-EVTX). Use at your own risk 😅!


The script in action!

In summary, the script will query whatever (.etl) file you give it every 15 seconds and write those events to a new channel. Actually, it can do this for any (.etl) file! You just have to configure it to do so.

To prepare your etl file for the script, all you have to do is change some of the channel options. Getting an error in Windows Event Viewer is normal after you make these changes. It doesn't like displaying ETL with "overwrite events as needed". 

Settings for the ETL file/channel.

Other Solutions

My solution is kind of a poor-man’s solution to this problem. Here are some more:

You can read more about ETW here:


You can read a whole lot more about WEF and Windows Events by reading our slide deck or watching our talk:

Contributors:
@acalarch
@neu5ron

2017-03-23

Malicious [.reg] Files

The Problem

Criminals and red teams have been known to use .hta, .vbs, .vbe, .js, .jse, .html, .bat, .cmd files to break into a computer/network. However, you don't hear too much about [.reg] files, which will be interpreted by RegEdit to make changes to the registry. On a default installation of Windows, the user does not need special admin privileges to add keys to HKCU\Software\Microsoft\Windows\CurrentVersion\Run. So, if they receive an email and are tricked into running the [.reg] file, they could be adding an 'evil' key. Currently, gmail is not blocking these files by default. You may want to check your email provider / gateway!
Here is an example of what a malicious [.reg] key might look like.. this one just launches calc. 
"Malicious" Reg Key, Adds key that will run calc.exe via mshta.exe when the victim logs in 

Monitoring

You can monitor this activity with Windows Event ID 4688 where the command line details for the event contain "regedit.exe" and endswith ".reg". Additionally, you can always monitor runkeys by enabling the "object access" policy or using a tool such as sysmon. Also, you should always monitor events created by mshta; wscript; cscript; regsvr32.exe and scrobj.dll as these (incomplete list I'm sure) can be used to create persistence in run keys. 

Contributions:
Adam Swan / @acalarch
Nate Guagenti / @neu5ron




2017-03-20

VBA Obfuscation and Macro Obfuscation


Visual Basic Obfuscation via Line Continuation

Be careful while writing YARA signatures for Microsoft Office Macros. A simple technique used to bypass detection of “sub document_open()” for instance is to break it up with the VBA line continuation character “_” (underscore).

We’ve seen this break a few office malware signatures… so you may wish to check your vendor.

If your vendor is only looking for "document_open" or the equivalent VBA of auto-open then you will be ok. However, if vendor is looking for the surrounding parentheses or preceding "sub" then you may want to double check.

Below are three examples:

**split among 3 lines

**split among several lines

**VirtualProtect (commonly used when executing shellcode) being imported from Kernel32 split among several lines












# Yara Rule
rule VBALineContinuationObfuscation
{
   meta:
   Author = "@acalarch, @neu5ron"
   Description = "Identifies potential VBA Obfuscation via empty line continuation, must provide yara an uncompressed vba project”
   strings:
      $a = {20 5F 0D 0A 20 5F 0D 0A}
   condition:
      $a

}


Contributions:
Adam Swan / @acalarch
Nate Guagenti / @neu5ron