I not too long ago launched 4 new Occasions Ripper plugins, mssql.pl, scm7000.pl, scm7024.pl and apppopup26.pl.
The mssql.pl plugin primarily appears for MS SQL failed login occasions within the Utility Occasion Log. I would engaged in a response the place we have been capable of validate the failed login makes an attempt first within the MS SQL error logs, however then I realized that the occasions are additionally listed within the Home windows Occasion Log, particularly the Utility Occasion Log, and I wished to offer that perception to the analyst.
The plugin lists the usernames tried and the frequency of every, in addition to the supply IP deal with of the login makes an attempt and their frequency. In a single occasion, we noticed virtually 35000 failed login makes an attempt, from 4 public IP addresses, three of which have been all from the identical class C subnet. This not solely tells an amazing deal in regards to the endpoint itself, but additionally supplies vital data that the analyst can use instantly, in addition to leverage as pivot factors into the timeline. The plugin doesn’t but checklist profitable MS SQL logins as a result of, by default, that knowledge is not recorded, and I have never truly seen such a file.
The plugin additionally appears for occasion data indicating settings adjustments, and lists the settings that modified. Of particular curiosity is the usage of the xp_cmdshell saved process.
So, why does this matter? Not way back, AhnLab printed an article stating that they’d noticed assaults in opposition to MS SQL servers ensuing within the deployment of Trigona ransomware.
The scm7000.pl plugin locates “Service Management Supervisor/7000” occasion data, indicating {that a} Home windows service failed to start out. That is extraordinarily essential in relation to validation of findings; simply because one thing (i.e., one thing malicious) is listed as a Home windows service doesn’t imply that it launches and runs each time the endpoint is restarted. That is simply as essential to know, alongside Home windows Error Reporting occasions, AV occasions, utility crash occasions, and so on. Because of this we can not deal with particular person occasions or artifacts in isolation; occasions are in actuality composite objects, and supply (and profit from) context from “close by” occasions.
The scm7024.pl plugin appears for “Service Management Supervisor/7024” data within the System Occasion Log, which point out {that a} service terminated.
The apppopup26.pl plugin appears for “Utility Popup/26” occasion data within the Utility Occasion Log, and lists the affected functions, offering fast entry to pivot factors for evaluation. If an utility of curiosity to your investigation is listed, the best factor to do is pivot into the timeline to see what different occasions occurred “close to” the occasion in query. Just like different plugins, this one can present indications of functions that will have been on the system at one level, and should have been eliminated.
Occasions Ripper has up to now confirmed to be a particularly highly effective and priceless instrument, a minimum of to me. I “see” one thing, doc it, add context, evaluation ideas, reference, and so on., and it turns into a part of an automatic course of. Sharing these plugins implies that different analysts can profit from my experiences, with out having to have ever seen these occasions earlier than.
The instrument is described right here, with utilization data accessible right here, in addition to through the command line.
