#!/usr/local/bin/perl # # Copyright (c) 2000 - Massachusetts Institute of Technology # # NTAUDIT-DETECT.PL # Jonathan Korba - Last Updated 1/5/2000 # # This program demonstrates the detectability of NT attacks # in the NT audit data gathered from the victim NT server (HUME) in the # 1999 DARPA Off-line Intrusion Detection Evaluation. # Detection is signature based. # **This program is not intended to be used as an Intusion Detection System. # # Input parameters for this program are the name of the audit log # text file to scan for attacks, and the type of attack(s) to detect. # The audit log text file must be created by opening an audit log # in NT EventViewer, ordering it from oldest record to newest record, # and then saving it as a comma-delimited text file. # sub usage { print "\nUsage:\n"; print "ntaudit-detect.pl \n"; print "\nPossible attack(s) to detect:\n"; print " casesen (U2R)\n"; print " dosserv (Service Crash - Could indicate CrashIIS)\n"; print " hardboot (Hard Reboot - Could indicate DoSNuke, AnyPW, NTFSDOS, etc.)\n"; print " netbus (R2L)\n"; print " netcat (R2L)\n"; print " ntis (NTInfoScan - Probe)\n"; print " sechole (U2R)\n"; print " yaga (U2R)\n"; print " all (All of the above)\n\n"; print "\nUndetectable with 1999 Auditting:\n"; print " FrameSpoofer\n"; print " PPMacro\n\n"; } sub detect_casesen { # A good signature for the CaseSen Attack is: # POSIX.EXE being run, PSXSS.EXE being run, # then a user added to Admin group by SYSTEM $posix = 0; $psxss = 0; print "Looking for CaseSen Attacks...\n"; while () { if (($_ =~ "POSIX.EXE") && ($posix == 0)) { print "Discovered execution of POSIX.EXE "; for ($x = 0; $x < 2; $x++) { # skip 2 lines to look for the User $_ = ;} if (($_ =~ "User\ Name\:") && !($_ =~ "Administrator")) { $posix = 1; print ": not run by Administrator"; } print "\n"; } if (($_ =~ "PSXSS.EXE") && ($posix == 1) && ($psxss == 0)) { print "Discovered execution of PSXSS.EXE\n"; $psxss = 1; } if (($_ =~ "Group\ Member\ Added") && ($psxss == 1)) { print "Discovered Group Member Added"; # get date and time @fields = split /,/, $_; $date = $fields[0]; $time = $fields[1]; for ($x = 0; $x < 5; $x++) { # skip 5 lines to look for the User $_ = ;} if (($_ =~ "Caller\ User\ Name\:") && ($_ =~ "SYSTEM")) { print ": by SYSTEM\n"; # CaseSen has been detected!!! print "CaseSen Detected at $date $time\n"; # Reset variables because there may be more casesens $posix = 0; $psxss = 0;} } } } sub detect_doserv { # drwtsn.exe started by SYSTEM may indicate that a service has crashed # Possible attacks: CrashIIS print "Looking for possible DoS attacks of services (e.g. CrashIIS)...\n"; while () { if ($_ =~ "drwtsn32.exe") { print "Discovered drwtsn32.exe"; for ($x = 0; $x < 2; $x++) { # skip 2 lines to look for the User $_ = ;} if (($_ =~ "User\ Name\:") && ($_ =~ "SYSTEM")) { print ": run by SYSTEM\n"; # skip down to get date and time while (!($_ =~ "HUME")) { $_ = ;} @fields = split /,/, $_; $date = $fields[0]; $time = $fields[1]; print "Possible DoS against service detected!!:\n"; print "on $date at $time.\n";} else {print "\n"}; next;} } } sub detect_hardboot { # if a "Windows NT is starting up" System Event # is not preceded by "SeShutdownPrivilege" Privilege Use Event # then a hard reboot occured # Possible attacks: DoSNuke, WinNuke, AnyPW, NTFSDOS print "Looking for Hard Reboots...\n"; $privilege = 0; # flag indicating SeShutdownPrivelege Event while () { if ($_ =~ "SeShutdownPrivilege") { $privilege = 1;} if ($_ =~ "Windows NT is starting up.") { if ($privilege == 1) { print "Detected soft reboot.\n";} else { # skip down to get date and time while (!($_ =~ "HUME")) { $_ = ;} @fields = split /,/, $_; $date = $fields[0]; $time = $fields[1]; print "Detected hard reboot!!:\n"; print "on $date at $time. (Possible attacks: DoSNuke, AnyPW, NTFSDOS)\n";} $privilege = 0; # Reset variable becasue there may be more reboots } } } sub detect_netbus { # the execution of a file called explore.exe # is an indicator of the NetBus attack # Note: If Netbus uses a different file name it will not be detected print "Looking for NetBus Attacks...\n"; while () { if ($_ =~ "explore.exe") { print "Discovered execution of explore.exe (common name for NetBus)\n"; # skip down to get date and time while (!($_ =~ "HUME")) { $_ = ;} @fields = split /,/, $_; $date = $fields[0]; $time = $fields[1]; print "NetBus attack detected!!:\n"; print "on $date at $time.\n";} } } sub detect_netcat { # A good signature for netcat is: REGEDIT.EXE runs, # then winlog.exe runs (common name for netcat trojan) # Note: A netcat attack which uses a name other than winlog.exe will not be detected print "Looking for NetCat Attacks...\n"; $reg = 0; # flag will be set to 1 if REGEDIT.EXE is run while () { if ($_ =~ "REGEDIT.EXE") { print "Discovered REGEDIT.EXE\n"; $reg = 1; } if (($_ =~ "winlog.exe") && ($reg == 1)) { # skip down to get date and time while (!($_ =~ "HUME")) { $_ = ;} @fields = split /,/, $_; $date = $fields[0]; $time = $fields[1]; print "Detected Netcat Attack!!:\n"; print "on $date at $time.\n"; $reg = 0; # Reset variable because there may be more netcat attacks } } } sub detect_ntis { # Successful Logon IUSR via Advapi + newdsn.exe run by SYSTEM => web scan # Successful Logon via KSecDD + multiple SAM_USER accessed by SYSTEM => netbios scan print "Looking for NTIS attacks...\n"; $wlogon = 0; # web scan login $nlogon = 0; # netbios scan login $iuser = 0; # IUSR login $readusr = 0; # num times user database was read (at least 10 for netbios scan) while () { if ($_ =~ "Successful Logon") { $_ = ; if ($_ =~ "IUSR") { $iuser = 1;} for ($x = 0; $x < 4; $x++) { # skip 4 lines to get Logon Process $_ = ;} if ($_ =~ "KSecDD") { print "Detected logon via KSecDD.\n"; $nlogon = 1;} if (($_ =~ "Advapi") && ($iuser == 1)) { print "Detected IUSR logon using Advapi.\n"; $iuser = 0; $wlogon = 1;}} if (($_ =~ "newdsn.exe") && ($wlogon == 1)) { # skip down to get date and time while (!($_ =~ "HUME")) { $_ = ;} @fields = split /,/, $_; $date = $fields[0]; $time = $fields[1]; print "Detected NTIS Web Scan!!!:\n"; print "on $date at $time.\n"; # reset variables and look for more scans $wlogon = 0; } if (($_ =~ "SAM_USER") && ($nlogon == 1)) { for ($x = 0; $x < 5; $x++) { # skip 5 lines to look for the User $_ = ;} if (($_ =~ "Primary\ User\ Name\:") && ($_ =~ "SYSTEM")) { $readusr += 1;} if ($readusr == 10) { # skip down to get date and time while (!($_ =~ "HUME")) { $_ = ;} @fields = split /,/, $_; $date = $fields[0]; $time = $fields[1]; print "Detected NTIS NetBios Scan!!!:\n"; print "on $date at $time.\n"; # reset variables and look for more scans $nlogon = 0; $readusr = 0;} } } } sub detect_sechole { # A good signature for the SecHole Attack is: # a user added to Admin group by SYSTEM # Note: Could also indicate a different attack (e.g. casesen, yaga) print "Looking for SecHole attacks...\n"; while () { if ($_ =~ "Group\ Member\ Added") { print "Discovered Group Member Added"; # get date and time @fields = split /,/, $_; $date = $fields[0]; $time = $fields[1]; for ($x = 0; $x < 5; $x++) { # skip 5 lines to look for the User $_ = ;} if (($_ =~ "Caller\ User\ Name\:") && ($_ =~ "SYSTEM")) { print ": by SYSTEM\n"; # Possible Sechole has been detected!!! print "Possible Sechole Detected at $date $time\n";} else {print "\n";} } } } sub detect_yaga { # A good signature for the Yaga Attack is: # 1) CAT.EXE runs (not necessary # 2) REGEDIT.EXE run by a user other than Administrator # 3) net.exe command run by SYSTEM (not a user) # 4) Group Member Added by SYSTEM (not Administrator) # (this last ones happens with CaseSen and SecHole as well) $cat = 0; # flag set to one if CAT.EXE runs $reg = 0; # flag set to one if REGEDIT.EXE runs $net = 0; # flag set to one if net.exe runs print "Looking for Yaga Attacks...\n"; while () { if ($_ =~ "CAT\.EXE") { print "Discovered CAT.EXE\n"; $cat = 1;} if (($_ =~ "REGEDIT\.EXE") && ($reg != 1)) { print "Discovered REGEDIT.EXE"; for ($x = 0; $x < 2; $x++) { # skip 2 lines to look for the User $_ = ;} if (($_ =~ "User\ Name\:") && !($_ =~ "Administrator")) { $reg = 1; print ": not run by Administrator"; } print "\n"; next;} if (($_ =~ "net\.exe") && ($reg == 1)) { print "Discovered net.exe"; for ($x = 0; $x < 2; $x++) { # skip 2 lines to look for the User $_ = ;} if (($_ =~ "User\ Name\:") && ($_ =~ "SYSTEM")) { $net = 1; print ": run by SYSTEM";} print "\n"; next;} if (($_ =~ "Group\ Member\ Added") && ($net == 1)) { print "Discovered Group Member Added"; # get date and time @fields = split /,/, $_; $date = $fields[0]; $time = $fields[1]; for ($x = 0; $x < 5; $x++) { # skip 5 lines to look for the User $_ = ;} if (($_ =~ "Caller\ User\ Name\:") && ($_ =~ "SYSTEM")) { print ": by SYSTEM\n"; # Yaga has been detected!!! print "Yaga Attack Detected at $date $time\n"; # Reset cause there may be more yagas $cat = 0; $reg = 0; $net = 0; } else {print "\n";} next;} } } if ($#ARGV != 1) { # requires exactly 2 args usage;} else { # open security event log textfile open(EVENTLOG,"<$ARGV[0]") || die "Cannot open Event Log File $!"; $attack = $ARGV[1]; if ($attack eq "casesen") { detect_casesen;} elsif ($attack eq "doserv") { detect_doserv;} elsif ($attack eq "hardboot") { detect_hardboot;} elsif ($attack eq "netbus") { detect_netbus;} elsif ($attack eq "netcat") { detect_netcat;} elsif ($attack eq "ntis") { detect_ntis;} elsif ($attack eq "sechole") { detect_sechole;} elsif ($attack eq "yaga") { detect_yaga;} elsif ($attack eq "all") { detect_casesen; detect_doserv; detect_hardboot; detect_netbus; detect_netcat; detect_ntis; detect_sechole; detect_yaga;} else {usage;}} exit;