The NSA and other cyber-criminals use a tool to remove entries from Windows' event log - but there's a way to recover them

[Delicieuxz]

Detection and recovery of NSA’s covered up tracks

 

Quote

 

Part of the NSA cyber weapon framework DanderSpritz is eventlogedit, a piece of software capable of removing individual lines from Windows Event Log files. Now that this tool is leaked and public, any criminal willing to remove its traces on a hacked computer can use it. Fox-IT has looked at the software and found a unique way to detect the use of it and to recover the removed event log entries.

 

Introduction

 

A group known as The Shadow Brokers published a collection of software, which allegedly was part of the cyber weapon arsenal of the NSA. Part of the published software was the exploitation framework FuzzBunch and post-exploitation framework DanderSpritz. DanderSpritz is a full-blown command and control server, or listening post in NSA terms. It can be used to stealthy perform various actions on hacked computers, like finding and exfiltrating data or move laterally through the target network. Its GUI is built on Java and contains plugins written in Python. The plugins contain functionality in the framework to perform specific actions on the target machine. One specific plugin in DanderSpritz caught the eye of the Forensics & Incident Response team at Fox-IT: eventlogedit.

 

 

...

 

 

Recovering removed records

 

As eventlogedit leaves the removed record and record header in its original state, their content can be recovered. This allows the full recovery of all the data that was originally in the record, including record number, event id, timestamps, and event message.

 

Fox-IT’s Forensics & Incident Response department has created a Python script that finds and exports any removed event log records from an event log file. This script also works in the scenario when consecutive event records have been removed, when the first record of the file is removed, or the first record of a chunk is removed. In Figure 4 an example is shown.

 

 

We have decided to open source the script. It can be found on our GitHub and works like this:

 

 

...

 

 

Recommendations

 

To detect if the NSA or someone else has used this to cover up his tracks using the eventlogedit tool on your systems, it is recommended to use the script on event log files from your Windows servers and computers. As the NSA very likely changed their tools after the leaks, it might be farfetched to detect their current operations with this script. But you might find traces of it in older event log files. It is recommended to run the script on archived event log files from back-ups or central log servers.

 

If you find traces of eventlogedit, and would like assistance in analysis and remediation for a possible breach, feel free to contact us. Our Forensics & Incident Response department during business hours or FoxCERT 24/7.

Wouter Jansen

Fox-IT Forensics & Incident Response

 

 

It's certainly good that people are finding ways to expose and sometimes counter the NSA's cyber-crime. But at the same time, I wonder if the NSA and other cyber-criminals might just make tools to deal with these deeper layers of records. Hopefully, increased awareness will result in more grassroots efforts designed to protect people against the NSA and other cyber-criminals.

 

It might be in the interest of anyone doing IT for a big business to check to see if any Windows Event Log entries have been tampered with.

[PlayStation 2]

For each thing the NSA does, someone will have a way to go around it.

That is, until we either reach a breaking point or the end of the tunnel.

[Guest]

Good thing I have a mac so it can't be hacked by the NSA.

[InertiaSelling]

26 minutes ago, Delicieuxz said:

The NSA and other cyber-criminals

Now that's an accurate title.

[mr moose]

It's just more evidence that humanity is digging itself a very deep hole in the name of "security".  I need a new term for the point at which the security (or any digital product) measures and counter measures are so convoluted and deep that it begins to become hard to separate, intent from cause and legitimacy.  It's like an event horizon where the poes law of digital forensics comes into its own.

[TidaLWaveZ]

Every day the tinfoil hat becomes more fashionable.

[ItsMitch]

NSA and cybercriminals in the same sentence 

[2FA]

1 hour ago, TidaLWaveZ said:

Every day the tinfoil hat becomes more fashionable.

I prefer lead foil, blocks more NSA signals.

[leadeater]

4 hours ago, Delicieuxz said:

It might be in the interest of anyone doing IT for a big business to check to see if any Windows Event Log entries have been tampered with.

I'd check but it'll detect the event log entries I've also deleted myself lol. We do real time event log collection and hand off to two different analysis tools anyway and tampering with that is much harder.

 

Smaller/medium sized business wouldn't have this type of thing in place so they should be the most concerned about this.

[TidaLWaveZ]

1 hour ago, DeadEyePsycho said:

I prefer lead foil, blocks more NSA signals.

I prefer dramatic foil, it has a more classic intellectual feel.

[captain_to_fire]

2 hours ago, leadeater said:

I'd check but it'll detect the event log entries I've also deleted myself lol. We do real time event log collection and hand off to two different analysis tools anyway and tampering with that is much harder.

 

Smaller/medium sized business wouldn't have this type of thing in place so they should be the most concerned about this.

Can I use Event Viewer to do that? 

[leadeater]

5 minutes ago, hey_yo_ said:

Can I use Event Viewer to do that? 

You can configure event forwarding or use a free analytics tool like Greylog.

[captain_to_fire]

Just now, leadeater said:

You can configure event forwarding or use a free analytics tool like Greylog.

Thank you. I thought the built in Event Viewer in Windows can do that. 

[8uhbbhu8]

2 hours ago, leadeater said:

I'd check but it'll detect the event log entries I've also deleted myself lol. 

 

 

Oh? Telling us something @leadeater?  

17 minutes ago, leadeater said:

You can configure event forwarding or use a free analytics tool like Greylog.

huh never done that before. May try it someday  

[leadeater]

6 minutes ago, 8uhbbhu8 said:

Oh? Telling us something @leadeater?  

How to make a change without an RFC.. what change? I see no change... 

[8uhbbhu8]

1 minute ago, leadeater said:

How to make a change without an RFC.. what change? I see no change... 

ah. So sometimes small changes or changes that would really be a pain to explain and just waste time and money can effectively never have happened  But... How does the deletion work if the collection happened in real time as you noted? You'd have to delete those as well then?

[leadeater]

6 minutes ago, 8uhbbhu8 said:

ah. So sometimes small changes or changes that would really be a pain to explain and just waste time and money can effectively never have happened  But... How does the deletion work if the collection happened in real time as you noted? You'd have to delete those as well then?

Kung Fu Ninja never reveals his secrets 

Disable the logging services

[8uhbbhu8]

2 minutes ago, leadeater said:

Kung Fu Ninja never reveals his secrets 

Disable the logging services

ah.. right!!  Why didn't I think of that?!!! The I.T. in me is utterly ashamed......

[Linus_torvalds]

10 hours ago, RorzNZ said:

Good thing I have a mac so it can't be hacked by the NSA.

LOL apple is friends with NSA.

Other then that no one needs to hack a mac. It's already hacked did you see it's bug when it allows root user without password?

LOL macOS is the worst OS ever existed.

[Nicnac]

Didn't know they use python scripts for these attacks as well. Thought it was always more of a data analysis and scientific language. Proves it's true versatility I guess. 

[Matu20]

Naughty NSA, naughty.