Once intruders have successfully gained Administrator access  on a system, they will try to cover the detection of their presence.  
When all the information of interest has been stripped from  the target, they will install several back doors so that easy access can be  obtained in the future.
Erasing evidence of a compromise is requirement for any  attacker who would like to remain obscure. This usually starts with erasing the  contaminated logins and any possible error messages that may have been generated  from the attack process. For example, a buffer overflow attack will usually  leave a message in the system logs. Next, the attention is turned to effecting  changes so that future logins are not logged. A good way of ensuring that the  system administrator continues to believe the output of his system is to  manipulate the event logs and tweak the audit system.
Because the first thing a system administrator does to  monitor unusual activity is to check the system log files, it is very common for  intruders to use a utility to modify the system logs. In some extreme cases,  rootkits can disable logging all together and discard all existing logs. This  happens if the intruders intend to use the system for a longer time as a launch  base for future intrusion activity. Then they will only remove those portions of  logs that can reveal their presence.
-  First thing intruders will do after gaining Administrator privileges is to disable auditing.
-  NT Resource Kit's auditpol.exe tool can disable auditing using command line.
-  At the end of their stay, the intruders will just turn on auditing again using auditpol.exe
| One of the first steps for an attacker who has command-line  capabilities is to determine the auditing status of the target system, locate  sensitive files (such as password files), implant automatic information  gathering tools (such as a Keyboard Logger or Network  Sniffer). | 
Windows auditing records certain events to the Event Log (or  associated syslog). The log can be set to send alerts (email, pager, etc) to the  system administrator. Therefore, the attacker will want to know the auditing  status.
auditpol.exe is a part of the NT resource kit and can be used as a  simple command line utility to find out the audit status of the target system  and also to make changes to it.
The attacker will need to have the utility installed in the WINNT  directory. He can then establish a null session to the target machine and run  the command:
C:\> auditpol \\
This will reveal the current audit status of the system. He can  choose to disable the auditing by:
C :\> auditpol \\/disable 
This will make changes in the various logs that might register his  actions. He can choose to hide the registry keys changed later on.
There is no effective technique to lock the auditing to  prevent auditpol from disabling it. However, one can make it a scheduled event  which will make the system check for the status of the auditing and then turns  it on if it is disabled. Most host based IDS products will automatically  re-enable auditing if it has been turned off.
There are a number of reasons why auditing is important. These  include:
-  Successful attacks often preceded by a series of unsuccessful ones.
-  Detecting an attack in its early phase can contain damage.
-  Recovery often depends on realistic damage assessment.
-  Auditing and intrusion detection helps determine causal factors/people for the attack.
-  Assessing network compromise is dependant on auditing as well. One of the main goals of auditing is to identify the actions taken by attackers on your network. An attacker may attempt to compromise multiple computers and devices on the network.
-  Intruders can easily wipe out the logs in the event viewer
-  Event viewer on the attackers host can open, read and clear logs of the remote host.
-  This process will clear logs of all records but will leave one record stating that the event log has been cleared by 'Attacker'
| The event-logging service controls whether events are  tracked on Windows 2000 systems. When this service is started, user actions and  system resource usage events with the following event logs can be tracked: 
 | 
In the Security Log, always check on event IDs 529 "Unknown user  or bad password," 680 "Account logon," and 517 "Security Log Cleared.
| Dump Event Log is a command-line tool, included in the  Windows 2000 Server Resource Kit. It will dump an event log for a local or  remote system into a tab separated text file. This file can then be imported  into a spreadsheet or database for further investigation. The tool can also be  used to filter for or filter out certain event  types. | 
The following syntax is used by the dumpel.exe tool:
dumpel -f file [-s \\server] [-1 log [-m source]] [-e n1 n2 n3...]  [-r] [-t] [-d x] Where:
-f file. Specifies the file name for the output file. There is no  default for -f, so you must specify the file.
-s server. Specifies the server for which you want to dump the  event log. Leading backslashes on the server name are optional.
-1 log. Specifies which log (system, application, security) to  dump. If an invalid log name is specified, the application log is dumped.
-m source. Specifies in which source (such as redirector (rdr),  serial, and so on) to dump records. Only one source can be supplied. If this  switch is not used, all events are dumped. If a source is used that is not  registered in the registry, the application log is searched for records of this  type.
-e n1 n2 n3. Filters for event ID nn (up to 10 can be specified).  If the -r switch is not used, only records of these types are dumped; if -r is  used, all records except records of these types are dumped. If this switch is  not used, all events from the specified source name are selected. You cannot use  this switch without the -m switch.
-r. Specifies whether to filter for specific sources or records,  or to filter them out.
-t. Specifies that individual strings are separated by tabs. If -t  is not used, strings are separated by spaces.
-d x. Dumps events for the past x days.
| An attacker would be interested in clearing the event log  after the audit has been disabled using auditpol.exe. One tool that will be of  interest is elsave.exe Written by Jesper Lauritsen, this tool helps clear NT  event log. | 
ELSave takes the following arguments:
| -s \\server   | Server for which you want to save or clear the  log. | 
| -F file  | Save the log to a file with this name. Must be an absolute  path to a local file on the server specified with -s. If -F is not specified the  log is not saved. | 
| -l log  | Name of log to save or clear. Must be one of system,  application or security. Default is application. | 
| -q  | Write errors and warnings to the application event log.  Default is to write errors to stderr. This option is mostly useful when ELSave  is run in the background, like for example from the scheduler. | 
| -C  | Clears the log. If -C is not specified the log is not  cleared. | 
Example:
Save the  application log on \\serv1 to \\serv1\d$\application.log:
elsave -s \ \serv1 -F d: \application.log
Save the  system log on the local machine to d: \system.log and then clear the  log:
elsave -l system -F d: \system.log -C -  Wizapper is a tool that an attacker can use to erase event records selectively from the security log in Windows 2000.
-  To use the program, the attacker runs winzapper.exe and marks the event records to be deleted, then he presses 'delete events' and 'exit'. Presto the events disappear.
-  To sum things up: after an attacker has gained Administrators access to the system, one simply cannot trust the security log!
It is considered that event logs are generally not  compromised without shutting the service down by legitimate means or otherwise.  WinZapper is a tool that is capable of breaking into the event logging system  without shutting it off or crashing the service.
 -  Evidence Eliminator is an easy to use powerful and flexible data cleansing system for Windows PC.
-  Daily use protects you from unwanted data becoming permanently hidden in your PC.
-  It cleans recycle bins, Internet cache, system files, temp folders etc.
Evidence Eliminator is a windows based product that is known  for countering privacy invasion and giving the user the ability to remove  evidence of his activities on a system - such as websites visited, cookies  stored, documents read etc.
 -  There are two ways of hiding files in NT/2000.-  Attrib-  use attrib +h [file/directory]
 
-  
-  NTFS Alternate Data Streaming-  NTFS files system used by Windows NT, 2000 and XP has a feature Alternate Data Streams - allow data to be stored in hidden files that are linked to a normal visible file.
 
-  
 Streams are not limited in size and there can be more than one stream linked to a normal file.
-  
Every file consists of a set of attributes. However, a  file's name is not part of the file. The filename is a directory entry that  points to the actual file. This level of indirection is necessary because  Windows 2000 and Windows NT both support links. The directory entry can be  considered to be analogous to a pointer - the unique filename and directory  entry tells the file system which file to access. It is possible to have more  than one pointer that points to the same data.
...........................................................................................................................  .................................................. 
...........................................................................................................................  ..................................................
 
0 comments:
Post a Comment