Share this page!

Maybe Scrolly?
Dray Agha Profile picture
Twitter logo
May 18 33 tweets 15 min read
Inspired by a SANS poster, I wanted to look at a couple of security solutions and see if their logs provided any key insights an analyst could leverage.

sans.org/posters/window… Image
The scenario : if given only product-relevant raw data & logs, would X security solution have data on the host that provides any security value and help with our investigation.

This is a specific use case I know. But it's something I find myself needing every day at work
Our conversation is about a singular machine, and the transparency, ease-of-access, and security-value of the logs and raw data of various security solutions. We’ll be staying in Windows world for this particular thread.

In our scenario, we have no GUI access to the AV
We're not talking about the effectiveness of a solution.

We're only taking a look at one very specific thing about it: the security value of raw data it leaves in some kind of retrievable file
Lots of gaps in the data collected, so please contribute and correct where necessary.

Not numbered in any particular order!

Okay let’s go! Image
Windows Defender

Path : C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx

Defender is a good standard. It tells you the trigger time, offending file, the parent process, and snitches on the user account responsible.
The categorisation near the top is hit and miss though. And good lord AMSI alerts are useless. TELL ME the PowerShell that was malicious?! Don’t make me go and pull the PwSh Op log?! ImageImage
Bitdefender:

Paths:
C:\ProgramData\Bitdefender\Endpoint Security\Logs\
C:\ProgramData\Bitdefender\Desktop\Profiles\Logs\
C:\Program Files*\Bitdefender\*\.db
C:\Program Files\Bitdefender\Endpoint Security\Logs\system\*\*.xml
C:\ProgramData\Bitdefender\Endpoint Security\Logs\Firewall\*.txt

Provides a good general context, good allrounder. ImageImage
Carbon Black

Paths:
C:\ProgramData\CarbonBlack\Logs\*.log
C:\ProgramData\CarbonBlack\Logs\AmsiEvents.log

Like this gives the PowerShell detail behind AMSI alert - which is REALLY useful for an investigation. ImageImage
Cisco AMP

Path: C:\Program Files\Cisco\AMP\*.db

Wonderful to database to read with tonne of security value.

Some .ETL data also, but diagnostic only. Image
Crowdstrike Falcon

Path: C:\windows\System32\winevt\Logs\

Tried really hard but could only find diagnostic info. I’d be grateful for some pointers here. ImageImageImage
Cybereason

Paths:
C:\ProgramData\crs1\*.txt
C:\ProgramData\crs1\Logs

Tried really hard to find valuable , but could only find stuff pertaining to diagnostics.

Would be grateful if someone pointed out what I couldn’t find. Image
Cylance / Blackberry

Paths:
C:\ProgramData\Cylance\Desktop
C:\Program Files\Cylance\Desktop\log\* log
C:\ProgramData\Cylance\Desktop\chp.db
C:\ProgramData\Cylance\Optics\Log

You could do a thorough investigation from their data and get good insight into what happened. ImageImageImageImage
Deep Instinct

Path: C:\ProgramData\DeepInstinct\Logs\*.etl

Other than esoteric diagnostics, couldn't find anything of security value. I’d be grateful if anyone could contribute to improve on this. Image
Elastic Endpoint Security

Path: C:\program files \elastic\endpoint\state\log

One big log, Includes great security insight. Image
ESET:

Path: C:\ProgramData\ESET\ESET Security\Logs\virlog.dat

Requires a parser, but once you get the data it’s good detailed stuff

github.com/laciKE/EsetLog… Image
FireEye Endpoint Security

Path: C:\ProgramData\FireEye\xagt\*.db

Databases were encrypted. I didn’t want to root around and find an encryption key packed into a binary.

You can get logs via command ‘xagt -g example_log.txt’.

But this requires an interactive machine ImageImageImage
9. F-Secure
Paths:

C:\Users\*\AppData\Local\F-Secure\Log\*\*.log

C:\ProgramData\F-Secure\Antivirus\ScheduledScanReports\

C:\ProgramData\F-Secure\EventHistory\event

Straight forward to read, good security value, but a lot of diagnostic logs ImageImage
Kaspersky

Path: C:\Windows\system32\winevt\logs

The EVTX has great security value, similar to Defender’s format. ImageImage
MalwareBytes

Path
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-*.xml
C:\ProgramData\Malwarebytes\MBAMService\logs\mbamservice.log
C:\Users\*\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs\
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\
More than enough data to work with. But you do have to bounce between multiple log sources to piece information together ImageImageImageImage
McAfee

Paths:

C:\ProgramData\McAfee\Endpoint Security\Logs\*.log
C:\ProgramData\McAfee\Endpoint Security\Logs_Old\*
C:\ProgramData\Mcafee\VirusScan\*
C:\ProgramData\McAfee\VirusScan\Quarantine\quarantine\*.db
C:\ProgramData\McAfee\DesktopProtection\*.txt
Great data. A bit inconsistent across products, but I forgive due to the transparency and security value in the logs ImageImageImageImage
Palo Alto Networks XDR

Path: C:\ProgramData\Cyvera\Logs\*.log

Great security value in the various logs, and easy to read Image
Sentinel One:

Paths:
C:\programdata\sentinel\logs\*.log, *.txt
C:\windows\System32\winevt\Logs\SentinelOne*.evtx
C:\ProgramData\Sentinel\Quarantine

Sometimes some security data in EVTXs!

Tried hard to parse the .BINLOG files but couldn't. Hope someone can educate me here ImageImageImage
Sophos:

Paths:
C:\ProgramData\Sophos\Sophos Anti-Virus\logs\*.txt.
C:\ProgramData\Sophos\Endpoint Defense\Logs\*.txt

Great logs, verbose granular, full of security value.

Can be parsed by chainsaw from application evtx ImageImageImage
Symantec

Paths:
C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs\
C:\Users\*\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\
C:\Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx
C:\ ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\

All the logs are good, with a mixture of diagnostic and security value ImageImageImageImage
Trend Micro

Paths:
C:\ProgramData\Trend Micro\
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\
C:\Program Files*\Trend Micro\Security Agent\Report\*.log,
C:\Program Files*\Trend Micro\Security Agent\ConnLog\*.log

Transparent, well laid out, good security value ImageImage
Webroot

Path: C:\ProgramData\WRData\WRLog.log

Good security value and straight to read. There were some DBs but they were encrypted from the looks of it. ImageImage
By the way

You may encounter quarantined malware in some of these above directories.

Try this script to undo the quarantine process that defangs the malware, and turn it into something executable and analysable

hexacorn.com/d/DeXRAY.pl ImageImageImage
That's all I've got for you!

You can follow my blue team notes for more defensive security tips : github.com/Purp1eW0lf/Blu…

There’s so much more to contribute and correct for this thread, I look forward to how this conversation develops.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dray Agha

Dray Agha Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Purp1eW0lf

Dray Agha Profile picture
Mar 17
SRUM is maybe one of the best Windows digital forensic artefacts, if you’re willing to roll your sleeves up.

You can get proof of execution and execution runtime, as well as proof of network communication and the bytes sent and received

Let's take a look in this #DFIR thread🧵
Since Win8, System Resource Usage Monitor (SRUM) monitors a bunch!

What we’re most interested in is its detailed record of programs and network activity.

SRUM has a LONG memory compared to some of the other more ephemeral artefacts📜
To put SRUM to forensic work, grab its .DAT file

C:\Windows\System32\sru\SRUDB.dat

To gain extra contextual data, we're advised to also collect the SOFTWARE hive.

I didn't do that however, because I am a bad person 😞 Image
Read 16 tweets
Dray Agha Profile picture
Mar 9
As a security investigator, what are your thoughts when you see this result in your SIEM? 🚨

Bad, right?

Let’s discuss how we can conclude something is a false positive, and what we can do with that information🧵
When drafting some internal docs the other morning, I wanted a screenshot of an Elastic search.

Without intending to start any drama, I searched for a string associated with Impacket's lateral movement tools :

*\\\\127.0.0.1\\ADMIN*

github.com/SecureAuthCorp…
I expected some internal test data, or even results from previously identified activity.

So you can imagine my surprise when I saw results that were from a handful of hours ago
Read 19 tweets
Dray Agha Profile picture
Feb 28
Let’s have a chat about web browser investigations

We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source.

Along the way, we'll drop tips on formatting the data so it's easier to look at.

🧵
We’re not concerned if other members of our org are looking at eBay or cat memes during work hours.

If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job.

We're focusing on downloads and their corresponding URLs.
According to this graph I didn’t fact check, Chrome and Safari dominate the game.

Investigating Edge is similar to Chrome, so we’ll look at that too. And Firefox is 4th place, so we'll take a look here too. Image
Read 19 tweets
Dray Agha Profile picture
Feb 19
Let's quickly look at how Defenders can benefit from tools like Chainsaw, Sigma, docs from KAPE & Velociraptor, and Security Onion 🕵️‍♂️

We'll use real, shady data - fresh out the kitchen 🧑‍🍳

Along the way, I'll share some tips and shortcuts to cut faster through data and logs

🧵
We had an alert for a ScreenConnect session on a DC involving a PowerShell script called 'LAPSToolkit'

This COULD could be for legitimate auditing. But adversaries have been known to use ScreenConnect for their campaigns.

github.com/leoloobeek/LAP…

huntandhackett.com/blog/revil-the…
I don't want to waste anyone's time by highlighting false positives.

So we'd need to dig a bit deeper on the host, and see if any findings can contextualise this activity as legitimate or malicious.

To start, I'd like to pull some data from the machine
Read 13 tweets
Dray Agha Profile picture
Feb 13
This is a cool bit of offensive Nim from @WhyDee86

Let's unravel this from a Defenders point of view 🧵

We'll start with some basic reverse engineering analysis, and then move into monitoring this from an ELK stack

TLDR: A decent SIEM setup will catch this.
Let's start off by compiling it.

We'll then analyse it like we don't know the source code, and we're investigating malware on a machine.

If your compile fails, you'll likely need to download winim library.

[Winim github.com/khchen/winim#i…]
First, let's throw StringSifter at the EXE.

What catches my eye are the ranked strings to do with NIM as well as the AMSI DLL reference.

From a basic strings, I'd already be sus of an unknown EXE like this on a host.

[StringSifter github.com/mandiant/strin…]
Read 15 tweets
Dray Agha Profile picture
Feb 7
This is awesome, thank you @x86matthew.

I wanted to share a blue team perspective on monitoring and hunting for this kind of LNK -> EXE bamboozling

We'll use the example PoC if that's alright with you 🧵
Let's execute the PoC of the .LNK, which brings a pop up.

@x86matthew was kind enough to create a non-malicious PoC. But of course an adversary will not be so kind.

So let's take a look at our logs: Image
Let's assume we're rolling with SysMon.

We get an Event 11 for a strange tmp*.exe being created. This of course could be called something different if re-engineered by an adversary IRL.

But for now let's focus on this tmp*.exe Image
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(