Share this page!

Maybe Scrolly?
inversecos Profile picture
Twitter logo
Apr 6 β€’ 10 tweets β€’ 5 min read
1\ #DefenceEvasion Technique: Maliciously Modifying Registry Timestamps πŸ‘ΏπŸ‘€

This technique doesn't log events in the Security.evtx and is almost trivial to perform as a defence evasion technique...

Read my blog for technique + detection:
bit.ly/3r7jfuO

TL;DR πŸ‘‡πŸ‘‡ ImageImageImage
2\ Why should you care?

During an IR, registry timestamps are important evidence items for timelining & triaging an incident. They answer questions like...

> What files did the TAs open?
> When was a security tool disabled?
> What folders were the TAs looking at?
> etc...
3\ The native API "NtSetInformationKey" specifically allows a TA to overwrite a registry "Last Write" timestamp in an extremely trivial manner.

The param KEY_SET_INFORMATION_CLASS being passed the value KEY_WRITE_TIME_INFORMATION is what performs this.

undocumented.ntinternals.net/UserMode/Undoc… Image
4\ When I was performing research into this, I found a PoC written by Joakim Schicht using this specific API to perform the timestomping action.

He also calls the API NtFlushKey to make the change immediately on disk.

github.com/jschicht/SetRe…
5\ Here is an example of this attack:
Pic 1: Pre-timestomped RUN key
Pic 2: Me running Joakim's tool
Pic 3: The timestomped registry key ImageImageImage
6\ Detection Method 1: Windows EVTX
Event IDs 4656. 4757. 4660, 4663 do NOT detect this.

Look at ID 4657 - this event wont generate because it's alerting on a change to a registry VALUE, not the registry TIMESTAMP. This means enabling reg auditing won't detect this technique. Image
7\ Detection Method 2: Reg Discrepancies

For nested keys, the topmost key reflects the timestamp of the most recent subkey entry time. Unless each timestamp is timestomped, you can see that there is a time discrepancy.

NOTE: This detection WON'T work for keys with no subkeys. Image
8\ Detection Method 3: EDR

Running through procmon, one entry stood out which is the high-fidelity detection for this technique. You can see the KeySetInformationClass param from the "NtSetInformationKey" being used to write to a timestamp.

This is NOT normal behaviour!! Image
9\ I would finally detect on the use of the following APIs in conjunction:

NtCreateKey
NtOpenKey
NtEnumerateKey
NtSetInformationKey
NtQueryKey
NtFlushKey
10\ Finally, just an observation of mine... IR analysts are taught to look for timestomping of files by comparing $standard_information vs $filename. But there isn't a straight forward method of finding registry timestomping as it isn't as simple as parsing out MFT timestamps..

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with inversecos

inversecos Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @inversecos

inversecos Profile picture
Apr 28
1\ How to detect file timestomping πŸ‘€

APT28, APT29, APT32, APT38 have all used this defence evasion technique to modify malicious file creation times. 😈

Did you also know it's possible to timestomp $FN time?

πŸ‘‡πŸ‘‡ BLOG & TL;DR BELOW πŸ‘‡πŸ‘‡

bit.ly/3KsX1ua
2\ Most IR analysts are taught to detect timestomping using two methods:

> Compare $FI vs $SI times in the MFT
> Look for 0s in timestamp nanoseconds

These two detections are NOT foolproof - they will catch simple cases. Attackers can set nanoseconds and modify $FN time!
3\ Why should you care?

Most forensic courses teach these 2 detections without introducing more variables. A lot of analysts treat what they are taught as the "bible" without questioning it and when it comes to detecting these anomalies... critical evidence may be missed.
Read 6 tweets
inversecos Profile picture
Mar 23
1\ Windows Event Log Evasion via Native APIs πŸ‘€πŸ§ 

Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.

This blog covers the technique + detection.

bit.ly/3D7KI4n

TL;DR πŸ‘‡πŸ‘‡
2\ High level of how the technique works.....

Services are normally created through standard API calls to β€œCreateServiceA” using sc.exe/at.exe. This API is what EDR usually detects on.

Note that using svcscan.. Stuxnet isnt showing any of the malicious services ...why is that?
3\ The "svcscan" plugin detects services using two methods:

1. Walk the VAD tree reviewing process memory for indicators of running services

2. Identify service records with the tags 'sErv' and 'serH' which finds any services unlinked from the doubly / linked list.
Read 10 tweets
inversecos Profile picture
Mar 9
1\ How to detect what command line spawned a process with no EDR/AV? πŸ‘€ #DFIR

If you have a memory sample, this is how you can figure out what cmd spawned the processes by using volshell and memory forensics.

STEP BY STEP GUIDE BELOW

πŸ‘‡Β πŸ‘‡Β πŸ‘‡Β πŸ‘‡Β 

#MemoryForensics
2\ Each process in Windows is represented by an "EPROCESS" structure.

These EPROCESS blocks are joined in a doubly linked list structure. The flink (forward link) tells you the next process running and blink (backwards link) tells you the previous process.
3\ When you see a list of processes on a live system, often times this is gathered by walking this doubly-linked structure of EPROCESS blocks.

Of course malware can unlink a process in this doubly linked list to hide from detection :P
Read 13 tweets
inversecos Profile picture
Feb 17
1\ How to prove malicious macro was enabled & clicked? πŸ‘€ #DFIR

HKEY_LOCAL_MACHINE\USERDAT\Software\Microsoft\Office\<VERS>\<PROGRAM>\Security\Trusted Documents\TrustRecords

Look ONLY for values where last four bytes are "FF FF FF 7F".

These files had macros enabled

πŸ‘‡πŸ‘‡πŸ‘‡
2\ In light of the recent Emotet campaigns, make sure you check INetCache Outlook folder as it stores the attachments that were opened in Outlook.

If AV quarantines the file this wont exist.

C:\Users\<name>\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<Folder>\
3\ Next check the macro settings for that user as this user had macros set to auto enabled (VBAWarnings=1)

NTUSERDAT\Software\Microsoft\Office\<vers>\<program>\Security

Disable all macros w/o notification : 2, 4
Disable all macros except signed macros: 3
Enable all macros: 1
Read 7 tweets
inversecos Profile picture
Jan 31
1\ #MalwareAnalysis: Detecting Process Hollowing
The first pattern to look for are any calls to create processes in a suspended state:

> CreateProcessA
"dwCreationFlags" set 0x04 CREATE_SUSPENDED

Purpose is to disguise malicious code in a legit exe by replacing the contents.
2\ Following the process being started in a suspended state... (usually svchost.exe but who's counting). Then there are API calls to native/non native APIs:

> ZwUnmapviewofsection
> virtualallocex
> writeprocessmemory
> setthreadcontext
> NTgetcontextthread
> ntreadvirtualmemory
3\ Other ones:
> NTResumethread
> NTwritevirtualmemory
> ntsetcontextthread

The logic is to look for signs of processes being started in suspended state - then the process being hollowed, replaced with "malicious" contents and resuming of execution.
Read 4 tweets
inversecos Profile picture
Oct 21, 2021
1\ #MobileForensics Tip: Did you know iOS, by default, tracks all locations that you visit to build a map of your life.

Artefacts:
> cache.sqlite
> cloud.sqlite
> local.sqlite

Tracked by IoS:
> When you arrived
> When you left
> Long/Lat

😝Photo is a parsed local.sqlite file
2\ In your iPhone the local.sqlite will render like this - as you can see I went to a grocery store 13 times. I was in lockdown don’t judge me.
3\ You can parse these using DB browser for sqlite - there are field names including longitude, latitude and also tracks when you arrived / left so it understands your dwell time. There are also fields pertaining to vehicle events i.e. you parked your car.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(