427 Botnet fm qxd

C&C activity.This is defense in depth at its finest. However, that is during the
analysis step, which we will cover later in this chapter. In this step we are
trying to determine the attack vector, the time of the successful attempt, and
the userid that successfully logged in (which should now be considered com-
promised).
Finding these failed login attempts tells us that password guessing was one
of the attack vectors. Finding a successful login among the attempts using one
of the attempted userids or immediately following the last attempt is valuable
because it marks the time of the actual break-in.Take note of this time
because you will use it later to look for files associated with the break-in (see
Figure 5.6).
Figure 5.6 A Successful Break-in
During the analysis phase you can use a log processor such as Log Parser
from Microsoft to process multiple log files at once. At the time of this
printing, Log Parser can be downloaded from www.microsoft.com/down-
loads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&dis-
playlang=en. Log Parser reads the event files and permits the analyst to craft
SQL queries to extract information.
We created a batch file containing a single line:
www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
187
427_Botnet_05.qxd 1/9/07 9:59 AM Page 187

C:\”Program Files\Log Parser 2.2\”LogParser.exe -o:CSV
file:LogonFailuresDistinct2.sql?machine=*”
This line says, “Run log parser, read the file LogonFailures.sql, execute the
SQL commands you find there, report what you find for all machines, and
place the results in a comma-separated value file.”
The SQL query 
LogonFailures
says:
SELECT 
DISTINCT TimeGenerated, STRCAT(
EXTRACT_TOKEN(Strings, 1,
‘|’),
STRCAT(‘\\’,EXTRACT_TOKEN( Strings, 0, ‘|’ ) ) ) AS User, 
[ComputerName] As Targeted_Computer, 
EXTRACT_TOKEN( Strings,5,’|’) AS [Attacking_Workstation]
FROM .\logs2\*.evt 
WHERE EventType = 16 AND EventCategory = 2 AND Attacking_Workstation <>
ComputerName
This query will cause Log Parser to:
■
Extract the time-generated field
■
Extract the user name and login domain and concatenate them to
form field called 
User
■
Relabel the 
ComputerName
field to 
Targeted Computer
■
Find the 
Workstation
field 
Log Parser is to do this from all the event logs in .\logs for all logon
events (Event Category 2) that failed (Event Type 2) and where the attacking
workstation name doesn’t match the 
ComputerName
field.
Table 5.1 shows a sample of output from this SQL query.You can see that
attacks came from two computers, ATTACKER1 and ATTACKER2.
ATTACKER2 shows the pattern consistent with an automated password-
guessing attack, with attempts coming one a second for an hour. It is also a
bit of a clue that there were 2200 attempts during that hour.You can also see
that the attacker in our greatly modified example used a dictionary con-
taining five passwords to try for each userid. When you consolidate all the
logs like this for analysis, you can see the attack pattern. Find an attacker and
then look for the attacker in the Victim column.You can note which com-
puter infected that one and trace it backward in the Victim column, thus

Download 6,98 Mb.

Do'stlaringiz bilan baham: