Investigation of manipulations with the control panel. Part 2

Original author: Chad Tilbury
Hello!

Today we continue the story of investigation methods and collecting evidence of launching Windows Control Panel applets.
The first part of the material on this subject is available here.

Let me remind you that with the release of Windows 7, the UserAssist mechanism has undergone significant changes. The collection of reliable evidence of applet launch is not supported on Windows7 | 8 systems; instead, we can use the so-called. jump lists (jumplists), a source of information containing traces of applet launch.

Transition Lists in Windows 7/8 (Jumplists)




In modern Windows operating systems, jump lists are one of the most important sources of information for investigations, including the ones we need to see the traces of launching Control Panel applets. Harlan Carvey wrote an excellent post on transition listings . In it, he talks in detail about the structure and practical application of lists.

To collect information related to the Control Panel, we need a list with the identifier 7e4dca80246863e3 (a list of all identifiers ). The full path to the jump list looks like this:

 %user profile%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
\7e4dca80246863e3.automaticDestinations-ms


Please note that jump lists are unique to each user's profile.
Look at the picture and note an important point for yourself: each Control Panel applet has a Windows class identifier (CLSID, in JumpList it is presented in the form of a global GUID). CLSIDs / GUIDs are used in jump lists to record applet execution. In our example, the identifier {E2E7934B-DCE5-43C4-9576-7FE4F75E7480} corresponds to the Date and Time applet (timedate.cpl). The MSDN library contains a map of the correspondence of all applets and their identifiers.



It is recommended that you use the identifiers of known applets to search for user actions. For example, as we see in the figure, the last launch of the Date and Time applet took place on April 5, 2013. at 06:53:33, and its owner launched this particular list. Unlike the Prefetch and UserAssist mechanisms, information about the time of the first launch and the number of starts cannot be obtained (this information can be obtained using shadow backups). The JumpLister tool was developed by Mark Woan, already known to us .

We collect all the evidence and see the big picture


Now let's look at the big picture, imagine that during the analysis of the logs you see the following event:



Simple calculation allows you to understand that 864001 seconds is just 10 days. You are looking for prefetch files that were changed about 10 days after the event from the log (i.e. the date of the change should be 03/28/2013 + 10 days) and you see the following traces:



Thus, you have gathered evidence that the system time has been changed. It remains to be found, who changed it? Using the UserAssist key corresponding to the suspect's account, you find the missing 'evidence':



If the audit policy has been configured so that system events are logged, you will see evidence of time manipulations in the security log. Full information will be displayed, including the account of the user who has transferred the time. Traces in the system allow you to uniquely identify the account on whose behalf any applet of the Control Panel was opened. In order to determine the goals of the attacker, additional context may be required. For example, if the user moved the time back to fake the date of the email, we will need to parse the security logs, email metadata and other additional tools and sources.

Also popular now: