Project 7 ‐ ETW Lab - jacobwilliams100/sec-440 GitHub Wiki

Part #1 – Record & Analyze ETW Sessions using WPR and WPA

Installing Windows Assessment and Deployment Kit (includes WPR and WPA)

image

We will leave most settings default

image

You should now be able to open WPR from the start menu

image

If you get this error message, click OK and proceed.

image

In this page, we must enable File I/O Activity because that is the kind of action we want to track

image

Then press Start.

We then open notepad and enter some text...

image

and save it in the ETW folder on Desktop

image

We add some more text and save

image

and close notepad.

Back on the recorder, we click Save.

image

we will put the ETL tile in the same location for now.

image

It will take a moment to save. when it does, "Open in WPA"

image

From here, we can begin analyzing the recording.

image

Deliverable #1: Finding Notepad and File Created using WPA

To find the action where I saved ETWLAB.txt, I first went to the file I/O section (count by process) and ran a search for the full directory path of ETWLAB.txt and then started looking at the ones under the notepad.exe tab. Under the "write" event type, I found two events that I believe match the create and write processes that correspond to our actions with the ETWLAB.txt file.

image

Part #2 – Analyzing Traces using PrefView

Downloading PrefView

image

Running PrefView

image

We open the .etl file (I created a new capture because I was having trouble with the previous one)

image

If we go to Processes / Files / Registry Stacks, and go to the Name tab, we can find notepad.exe

Deliverable #2: Finding Notepad and File Created using PrefView

Finding the notepad process was easy because there were not very many and I could simply find it from the relatively short list on the Processes / Files / Registry Stacks page and going to the "By Name" tag to sort them and it happened to be towards the top.

image

To find the save operations for ETWLab2.txt, I went to the Events window, and entered "notepad" as the process filter, the filename "ETWLAB2" as the text filter, and Windows Kernel/FileIO/Write as the Event Type filter to find these two actions which seem to correspond to the two times I saved text to ETWLab2.txt.

image

image

Part #3 – Tracing Windows Events using Logman

(no installation needed, comes with Windows)

Starting admin command prompt

image

Create a list of log providers with logman query providers

The resulting list is too long to make effective use of

image

Let's query only the Microsoft-Windows-Kernel-Process using logman query providers Microsoft-Windows-Kernel-Process

image

This GUID is the one we are looking for...

We can get this provider via the GUID as well

logman query providers "{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"

image

Let's find the powershell provider with logman query providers | Select-String Powershell (need to switch to admin powershell for this)

image

Back in admin command prompt, we will query this GUID with logman query providers "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"

Deliverable #3 - Submit a screenshot of the PowerShell provider output you found.

image

Part #4 – Creating Your Own Trace Session

We create a trace session with logman create trace mytrace1 -ets

image

This created the new trace mytrace1 in the current directory.

To validate this, we will query it with logman query mytrace1 -ets

Deliverable #4: provide a screenshot of your query mytrace1 output.

image

We want to add a provider to mytrace1, namely Microsoft-Windows-Kernel-Process. More specifically, we want to add WINEVENT_KEYWORD_PROCESS and WINEVENT_KEYWORD_IMAGE, which, if we look at the GUID output from earlier, have values of 0x0000000000000010 and 0x0000000000000040 respectively. We can combine these by adding them which gives us 0x0000000000000050 (which we can shorten to 0x50).

We update mytrace1 with this value with logman update mytrace1 -p Microsoft-Windows-Kernel-Process 0x50 -ets

image

And we update the trace to add Microsoft-Windows-Kernel-File provider values with logman update mytrace1 -p Microsoft-Windows-Kernel-File 0x1100 -ets (the value 1100 represents the combination of the file values we want)

image

Now we check our trace with logman query mytrace1 -ets

Deliverable #5: provide a screenshot of your query mytrace1 output showing the provider being added to this trace.

image

Deliverable #6: You are required to do the following (PLEASE READ CAREFULLY)

  1. Create a new trace named “mytrace2”

image

  1. Use the same approach to update the trace with the PowerShell provider. You need to focus only on the “Pipeline of Commands” and the “-------/Operational” values, so make sure you find the correct summation for those two values.

The "Pipeline of Commands" Keyword has the value 0x0000000000000002

“-------/Operational” Keyword has the value of 0x8000000000000000

If we add these, we get 0x8000000000000002

so we assign this to mytrace2 with logman update mytrace2 -p Microsoft-Windows-Powershell 0x8000000000000002 -ets

image

  1. Provide explanations and screenshots for all of your steps. (I have already been doing this)

Running mytrace2 with logman query mytrace2 -ets

image

Part #5 – Generating Some Events

Creating ETWLAB3.txt (replaces ETWLAB2.txt in the lab because I already made ETWLAB2 while troubleshooting an earlier part)

image

pinging google.com

image

Creating paint drawing ETWLAB3.png

image

Running offensive powershell activity powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Get-Process" > processes.txt

image

We will also do Get-ComputerInfo | Out-File system_info.txt to get computer info and save it to system_info.txt (perhaps without permission?)

image

Part #6 – Stopping Your Trace Session

using logman query -ets we can see that both traces are running!

Deliverable #7: provide a screenshot of your query showing that both mytrace1 and mytrace2 are running.

image

Now we stop these traces with logman stop mytrace1 -ets & logman stop mytrace2 -ets

image

We run logman query -ets again to make sure they stopped

image

Deliverable #8: provide a screenshot of your query showing that both mytrace1 and mytrace2 are no longer running and have been successfully stopped, similar to the output of 1.4.

mytrace1 and mytrace2 are nowhere to be found!

Part #7 – Analyzing Your Trace Session using PerfView

We open PerfView and find mytrace1&2

image

Open Both Files

image

Deliverable #9: You are required to find traces of usage in the mytrace1.etl for all of the following:

  1. Notepad.exe and the file named ETWLab2.txt that you saved.

image

We do this by opening events, searching "notepad" in the text filter, and looking under File/CreateNewFile sidebar

image

We do this by opening events, searching "ETWLAB3" in the text filter, and looking under File/CreateNewFile sidebar

  1. Cmd.exe and the ping command to google.com that you performed.

I found this by entering "ping" in the text filter and searching the event types until I found events that seemed like they matched the ping I made earlier.

image

  1. Mspaint.exe and the file named ETWLab2.png that you saved.

I find the process for paint by entering "paint.exe" in the text filter bar and browsing the categories until I find the event that I believe corresponds to using paint.

image

Essentially, I repeated this process of entering "ETWLAB3" in the Text Filter bar and looked under CreateNew File for the event that seemed to match the ETWLAB3.png file I created earlier.

image

Deliverable #10: You are required to find PowerShell CmdLet traces of usage in the mytrace2.etl for all of the following:

  1. Get-Process cmdlet

In the event viewer for mytrace2, once again we use the text filter, this time to look for events containing "Get-Process" and browse the categories until we find it

image

  1. Hidden PowerShell

This same event happens to contain the text for hiding the powershell window as well.

image

Part #8 – Investigating Suspicious Executable

Downloading trace1.7z

image

extracting zip

image

Opening trace1.etl

image

I start reading line by line because I don't really know what I am looking for yet and find this line, findme.dll, which I am pretty sure is it.

image

Deliverable #11: Use the methods and techniques that you have learned so far to analyze this file and find the following:

  1. What was the name of the process that loaded the suspicious DLL?

We only have the process number (4656) for this event and we are not given the name.

image

  1. What was the name of the DLL?

findme.dll

image

  1. Where is this Td from (file location)?

\Device\HarddiskVolume1\Users\Public\Downloads

image

Part #9 – Reflection

This lab was certainly an interesting change of pace from the previous ones in that it focused on gathering and parsing data about past events in an operating system rather than building and configuring infrastructure. It made me realize just how much is going on under the hood of a normal Windows installation. In just a minute of operation, a Windows system will generate hundreds of events from the various processes running in the foreground and background. One action, like opening a file or writing data to it, will generate multiple events and I want to learn more about the sequence of events that make up a simple action like saving a notepad file. I felt very overwhelmed when looking through events in WPA and PerfView, and it took some time to gain enough familiarity to find the events I was looking for. Despite some tedium and frustration, I gained a new respect for event tracing, and I see why it would be useful in a security setting for catching intruders and doing damage control on a compromized system. I am definitely interested in learning more about effective and efficient Event Tracing on Windows. I would also like to know what utilities can be used to trace events on Linux-based systems.