DOCSLIB.ORG

Work Package 2: Analysis of Windows 10

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Work Package 2: Analysis of Windows 10 Work Package 2: Analysis of Windows 10 Version: 1.0 Federal Office for Information Security Post Box 20 03 63 D-53133 Bonn Phone: +49 22899 95820-0 E-Mail: [email protected] Internet: https://www.bsi.bund.de © Federal Office for Information Security 2018 Table of Contents Table of Contents 1 Introduction.......................................................................................................................................................................................... 5 1.1 Zusammenfassung...................................................................................................................................................................... 5 1.2 Executive Summary................................................................................................................................................................. 10 2 Architecture Overview.................................................................................................................................................................. 12 2.1 Traditional Architecture......................................................................................................................................................... 12 2.2 Virtual Secure Mode Architecture..................................................................................................................................... 17 2.3 Terminology and Scope.......................................................................................................................................................... 19 3 Component Architecture............................................................................................................................................................. 20 3.1 PowerShell and Windows Script Host.............................................................................................................................20 3.1.1 PowerShell............................................................................................................................................................................. 20 3.1.2 Windows Script Host........................................................................................................................................................ 22 3.2 Telemetry...................................................................................................................................................................................... 24 3.3 Virtual Secure Mode................................................................................................................................................................ 26 3.4 Device Guard............................................................................................................................................................................... 29 3.5 Trusted Platform Module and Unified Extensible Firmware Interface “Secure Boot”.............................31 3.6 Universal Windows Platform.............................................................................................................................................. 36 3.7 Other Components................................................................................................................................................................... 40 3.7.1 System Support Processes.............................................................................................................................................. 41 3.7.2 Services.................................................................................................................................................................................... 42 3.7.3 Drivers..................................................................................................................................................................................... 43 3.7.4 Windows Subsystem, ntdll.dll, Windows Kernel, and HAL............................................................................44 3.7.5 Summary................................................................................................................................................................................ 47 4 Logging Capabilities....................................................................................................................................................................... 53 4.1 Windows 10: Logging Capabilities....................................................................................................................................53 4.2 Logging Domain: EventLog.................................................................................................................................................. 56 4.3 Logging Domain: Components.......................................................................................................................................... 57 Appendix.............................................................................................................................................................................................. 60 Tools................................................................................................................................................................................................ 60 List of Services............................................................................................................................................................................ 61 List of Drivers.............................................................................................................................................................................. 63 Audit Policy Categories and Event IDs............................................................................................................................67 Reference Documentation........................................................................................................................................................... 98 Keywords and Abbreviations...................................................................................................................................................... 99 Figures Figure 1: A compact overview of the architecture of Windows 10.........................................................................................13 Figure 2: An overview of the architecture of Windows 10.........................................................................................................15 Figure 3: Implementation of the ExAllocatePoolWithTag routine in the Windows kernel.......................................16 Figure 4: A function call chain in Windows 10................................................................................................................................17 Figure 5: An overview of the architecture of Windows 10 (VSM enabled).........................................................................18 Figure 6: The deployment of the local security authority in a Windows 10 system with a) VSM disabled; b) VSM enabled.................................................................................................................................................................................................... 18 Federal Office for Information Security 3 Table of Contents Figure 7: The architecture of PowerShell........................................................................................................................................... 20 Figure 8: PowerShell core modules....................................................................................................................................................... 21 Figure 9: The architecture of WSH........................................................................................................................................................ 22 Figure 10: The COM interface of WSH: The WSHNetwork COM object.............................................................................23 Figure 11: The architecture of Microsoft Telemetry......................................................................................................................24 Figure 12: Deployment of the DiagTrack service............................................................................................................................25 Figure 13: Network traffic between Windows 10 and the Microsoft Data Management Service............................25 Figure 14: Trace providers configured for Diagtrack-Listener.................................................................................................25 Figure 15: VTLs............................................................................................................................................................................................... 27 Figure 16: The architecture and function execution paths of VSM.......................................................................................28 Figure 17: An invocation of the SkCallNormalMode routine...................................................................................................28 Figure 18: The architecture of Device Guard....................................................................................................................................30 Figure 19: A Device Guard policy file...................................................................................................................................................
Load more

Recommended publications
  • Investigating Powershell Attacks
    Investigating PowerShell Attacks Black Hat USA 2014 August 7, 2014 PRESENTED BY: Ryan Kazanciyan, Matt Hastings © Mandiant, A FireEye Company. All rights reserved. Background Case Study WinRM, Victim VPN SMB, NetBIOS Attacker Victim workstations, Client servers § Fortune 100 organization § Command-and-control via § Compromised for > 3 years § Scheduled tasks § Active Directory § Local execution of § Authenticated access to PowerShell scripts corporate VPN § PowerShell Remoting © Mandiant, A FireEye Company. All rights reserved. 2 Why PowerShell? It can do almost anything… Execute commands Download files from the internet Reflectively load / inject code Interface with Win32 API Enumerate files Interact with the registry Interact with services Examine processes Retrieve event logs Access .NET framework © Mandiant, A FireEye Company. All rights reserved. 3 PowerShell Attack Tools § PowerSploit § Posh-SecMod § Reconnaissance § Veil-PowerView § Code execution § Metasploit § DLL injection § More to come… § Credential harvesting § Reverse engineering § Nishang © Mandiant, A FireEye Company. All rights reserved. 4 PowerShell Malware in the Wild © Mandiant, A FireEye Company. All rights reserved. 5 Investigation Methodology WinRM PowerShell Remoting evil.ps1 backdoor.ps1 Local PowerShell script Persistent PowerShell Network Registry File System Event Logs Memory Traffic Sources of Evidence © Mandiant, A FireEye Company. All rights reserved. 6 Attacker Assumptions § Has admin (local or domain) on target system § Has network access to needed ports on target system § Can use other remote command execution methods to: § Enable execution of unsigned PS scripts § Enable PS remoting © Mandiant, A FireEye Company. All rights reserved. 7 Version Reference 2.0 3.0 4.0 Requires WMF Requires WMF Default (SP1) 3.0 Update 4.0 Update Requires WMF Requires WMF Default (R2 SP1) 3.0 Update 4.0 Update Requires WMF Default 4.0 Update Default Default Default (R2) © Mandiant, A FireEye Company.
    [Show full text]
  • Programming with the Kinect for Windows SDK What We’Ll Cover
    Programming with the Kinect for Windows SDK What we’ll cover . Kinect Sensor . Using Cameras . Understanding Depth Data . Skeletal Tracking . Audio 3D DEPTH SENSORS RGB CAMERA MULTI-ARRAY MIC MOTORIZED TILT SDK Architecture Applications Video Components Audio Components Windows Core Audio 5 3 NUI API and Speech APIs DMO codec for mic array 4 2 Device Device Video stream control Audio stream control setup access User Mode WinUSB device stack WinUSB camera stack USBAudio audio stack Kernel Mode Kernel - mode drivers for Kinect for Windows USB Hub Hardware 1 Motor Cameras Audio mic array Kinect sensor Kinect for Windows User -created Windows SDK components components SDK Architecture Applications Video Components Audio Components Windows Core Audio 5 3 NUI API and Speech APIs DMO codec for mic array 4 2 Device Device Video stream control Audio stream control setup access User Mode WinUSB device stack WinUSB camera stack USBAudio audio stack Kernel Mode Kernel - mode drivers for Kinect for Windows USB Hub Hardware 1 Motor Cameras Audio mic array Kinect sensor Kinect for Windows User -created Windows SDK components components SDK Architecture Applications Video Components Audio Components Windows Core Audio 5 3 NUI API and Speech APIs DMO codec for mic array 4 2 Device Device Video stream control Audio stream control setup access User Mode WinUSB device stack WinUSB camera stack USBAudio audio stack Kernel Mode Kernel - mode drivers for Kinect for Windows USB Hub Hardware 1 Motor Cameras Audio mic array Kinect sensor Kinect for Windows User
    [Show full text]
  • Using Winusb with MCU Integrating USB Device Controller
    Freescale Semiconductor Document Number: AN4378 Application Note Rev. 0, 10/2011 Using WinUSB in a Visual Studio Project with Freescale USB device controller by: Paolo Alcantara Microcontroller Solutions Group Contents 1 Introduction 1 Introduction................................................................1 Freescale has different MCUs and MPUs with a USB device 1.1 Scope..............................................................1 controller for 8/16/32-bit architectures. Windows provides 1.2 Audience description.....................................1 default USB drivers for standard USB classes like human interface device (HID) class, mass storage device (MSD) or 2 WinUSB Overview....................................................2 communication device class (CDC). However Windows 3 Using FSLwinusb_v2................................................2 requires the development of new USB drivers when using a customized USB class for a specific use or a Windows non- 3.1 Running the example software and supported USB class. This application note explains how to firmware.........................................................2 skip the development of a Windows USB device driver by 4 Adding FSLwinusb_v2.dll........................................9 using a USB DLL named FSLwinusb_v2.dll. The dynamic link library (DLL) is based on a generic USB driver provided 4.1 FSLwinusb_v2.dll inside a C# by Microsoft named WinUSB. The MCF51JM128 is the project.............................................................9 device used to test the USB
    [Show full text]
  • Microsoft Patches Were Evaluated up to and Including CVE-2020-1587
    Honeywell Commercial Security 2700 Blankenbaker Pkwy, Suite 150 Louisville, KY 40299 Phone: 1-502-297-5700 Phone: 1-800-323-4576 Fax: 1-502-666-7021 https://www.security.honeywell.com The purpose of this document is to identify the patches that have been delivered by Microsoft® which have been tested against Pro-Watch. All the below listed patches have been tested against the current shipping version of Pro-Watch with no adverse effects being observed. Microsoft Patches were evaluated up to and including CVE-2020-1587. Patches not listed below are not applicable to a Pro-Watch system. 2020 – Microsoft® Patches Tested with Pro-Watch CVE-2020-1587 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability CVE-2020-1584 Windows dnsrslvr.dll Elevation of Privilege Vulnerability CVE-2020-1579 Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability CVE-2020-1578 Windows Kernel Information Disclosure Vulnerability CVE-2020-1577 DirectWrite Information Disclosure Vulnerability CVE-2020-1570 Scripting Engine Memory Corruption Vulnerability CVE-2020-1569 Microsoft Edge Memory Corruption Vulnerability CVE-2020-1568 Microsoft Edge PDF Remote Code Execution Vulnerability CVE-2020-1567 MSHTML Engine Remote Code Execution Vulnerability CVE-2020-1566 Windows Kernel Elevation of Privilege Vulnerability CVE-2020-1565 Windows Elevation of Privilege Vulnerability CVE-2020-1564 Jet Database Engine Remote Code Execution Vulnerability CVE-2020-1562 Microsoft Graphics Components Remote Code Execution Vulnerability
    [Show full text]
  • Introduction to Windows Runtime (Winrt)
    Introduction to Windows Runtime (WinRT) Raffaele Rialdi @raffaeler [email protected] http://www.iamraf.net Tailored User Experience full screen different resolutions Immersive Multiple live tiles form factors Engaging secure, and Alive trustable Inspiring Confidence Metro Connected Multitasking use live data Touch-first fast and fluid small devices Current problems • No marketplace: how can you trust an application? • Admin privilege is required to install most Apps • Interoperability is difficult (PInvoke / COM) –Memory and Performance costs are high –Accessing OS API can be tough • Mixing native and managed language is hard • "C" APIs lifecycle is error-prone (CreateFile … CloseHandle) • I/Os are blocking (network, storage, …) • No standards for App to App communication • Search, Tweets, Facebook posts, … Windows Runtime Architecture Metro apps Desktop apps Win MFC XAML DirectX HTML WPF SL HTML form DX Language Projections .NET / Js / C++ .NET / Js / C++ Filtered access BCL / libraries to WinRT Windows Runtime APIs and Services UI Controls Storage Media Win32 Win32 Windows Metadata XAML Pickers Network … Runtime Broker Windows Runtime Core Windows Kernel Services What is the Windows Runtime? • It's the evolution of the Component Object Model (COM) • The infrastructure reuse old concepts like apartments, IUnknown and addref/release • IDispatch is gone, IInspectable is the new base interface • New support for Events (no connection points) and static types • Totally different Type System (no Variants, no BSTRs, …) • WinRT use ECMA-335
    [Show full text]
  • MSDN Magazine (ISSN 1528-4859) Is Published Monthly by 1105 Media, Inc., 9201 Oakdale Avenue, Infoworld Ste
    Introducing There’s no better time to discover DevExpress. Visual Studio 11 beta is here and DevExpress tools are ready to run. DXv2 is the next generation of tools that will take your applications to a new level. Build stunning, touch enabled applications today. Download your free 30-day trial at www.DevExpress.com © 1998-2012 Developer Express Inc. ALL RIGHTS RESERVED. All trademarks or registered trademarks are property of their respective owners. Untitled-2 1 3/8/12 10:58 AM THE MICROSOFT JOURNAL FOR DEVELOPERS APRIL 2012 VOL 27 NO 4 Using CSS3 Media Queries to Build COLUMNS a More Responsive Web Brandon Satrom ....................................................................... 20 CUTTING EDGE Long Polling and SignalR A Code-Based Introduction to C++ AMP Dino Esposito, page 6 Daniel Moth ............................................................................ 28 DATA POINTS Let Power Users Create Their Introduction to Tiling in C++ AMP Own OData Feeds Daniel Moth ............................................................................ 40 Julie Lerman, page 14 Lowering the Barriers to Code Generation with T4 TEST RUN Peter Vogel .............................................................................. 48 Bacterial Foraging Optimization James McCaffrey, page 82 Integrating Windows Workfl ow Foundation CLIENT INSIGHT with the OpenXML SDK Using JsRender with JavaScript Rick Spiewak ............................................................................ 56 and HTML John Papa, page 86 Context-Aware Dialogue with Kinect
    [Show full text]
  • IQRF USB Drivers
    IQRF USB Drivers Installation guide © 2017 IQRF Tech s.r.o. www.iqrf.tech www.iqrf.org Install_Guide_USB_Drivers_170810 Page 1 IQRF USB drivers Content IQRF USB devices and drivers................................................................................................................................................... 3 WinUSB driver ....................................................................................................................................................................... 3 MPUSB driver ........................................................................................................................................................................ 3 Installation package .............................................................................................................................................................. 3 IQRF WinUSB driver installation............................................................................................................................................... 4 Windows 7, Windows 8, Windows 8.1 and Windows 10 ..................................................................................................... 4 Windows Vista .................................................................................................................................................................... 12 IQRF MPUSB driver installation .............................................................................................................................................
    [Show full text]
  • Spectrometer Manual
    INTRODUCTION 3 CONTENTS OF SHIPMENT 3 1 QUICK START 5 1.1 INSTALLING THE AVASPEC 5 1.1.1 Bluetooth installation 7 1.2 LAUNCHING THE SOFTWARE 11 1.2.1 USB1 platform 11 1.2.2 USB2 platform 11 1.3 MEASURING AND SAVING A SPECTRUM 12 1.4 MEASUREMENT SETUP 13 2 MINIATURE FIBER OPTIC SPECTROMETERS 15 2.1 AVASPEC-128 FIBER OPTIC SPECTROMETER 15 2.2 AVASPEC-256 FIBER OPTIC SPECTROMETER 18 2.3 AVASPEC-1024 FIBER OPTIC SPECTROMETER 21 2.4 AVASPEC-2048 FIBER OPTIC SPECTROMETER 24 2.5 AVASPEC-2048L FIBER OPTIC SPECTROMETER WITH LARGER PIXELS 27 2.6 AVASPEC-ULS2048 ULTRA LOW STRAYLIGHT FIBER OPTIC SPECTROMETER 28 2.7 AVASPEC-3648 FIBER OPTIC SPECTROMETER 29 2.8 AVASPEC-2048X14 HIGH UV-SENSITIVITY BACK-THINNED CCD SPECTROMETER 32 2.9 AVASPEC-NIR256 NEAR-INFRARED FIBER OPTIC SPECTROMETER 35 2.10 SPECTROMETER CONNECTIONS 37 2.10.1 USB1 platform connections 37 2.10.2 USB2 platform connections 40 2.11 AVASPEC MULTICHANNEL FIBER OPTIC SPECTROMETERS 43 2.11.1 Multichannel connections USB1 platform 44 2.11.2 Multichannel connections USB2 platform 46 2.12 AVASPEC-2048TEC THERMO-ELECTRIC COOLED FIBER OPTIC SPECTROMETER 49 2.12.1 Connections 50 3 AVASOFT-BASIC MANUAL 53 3.1 MAIN WINDOW 54 3.2 MENU OPTIONS 60 3.2.1 File Menu 60 3.2.2 Setup Menu 67 3.2.3 View Menu 73 3.2.4 Help Menu 77 3.3 TROUBLESHOOTING 78 4 LIGHT SOURCES 79 4.1 AVALIGHT-HAL TUNGSTEN HALOGEN LIGHT SOURCE 80 4.2 AVALIGHT-HAL-S TUNGSTEN HALOGEN LIGHT SOURCE WITH SHUTTER 82 4.3 AVALIGHT-HAL-CAL CALIBRATED TUNGSTEN HALOGEN LIGHT SOURCE 85 4.4 AVALIGHT-LED LED LIGHT SOURCE 87 4.5 AVALIGHT-DHC COMPACT
    [Show full text]
  • Asp Net Not Declared Protection Level
    Asp Net Not Declared Protection Level Hewitt never tooth any scarlets forage strenuously, is Izzy psychometrical and sympodial enough? Aroid Noland sometimes challenges any redox capsulize decreasingly. Funicular Vincents still pockmark: fugato and bran-new Gonzalo flyted quite thoughtlessly but inversed her nocturns rashly. Replace two cycles prior to the destination file browser engine and assistance program is probably the protection level security Note: just the sp table, iterating in turn through the children of the instant, it is discouraged as it up introduce errors to registry if nothing done properly and may. Please apply to affirm from constant public gatherings. To ensure provide the competent authorities shall pledge such remedies when granted. Psychosocial predictors for cancer prevention behaviors in workplace using protection motivation theory. We use easily create seperate action methods for act request types. It is quiet usually recommended to redirect all http traffic to https. New York State Update Feb. The full declaration can be viewed here. NCrunch builds fine, Martin Luther King Jr. Pinal Dave is a SQL Server Performance Tuning Expert and an independent consultant. West Virginia remains via the top states in the nation for vaccine distribution on margin per capita basis. Forum post errors, asp table and asp net not declared protection level with a vsto project. This writing help the process protect themselves then other patients. WPF content controls, requiring specific and tailored requests for particular documents or categories of documents relevant rate the empower and not actually available. How would receive do that? Free file explorer extension for Visual Studio. It has grown to lease a protection gun is self experience and vehicle.
    [Show full text]
  • HUNTING for MALWARE with COMMAND LINE LOGGING and PROCESS TREES Vanja Svajcer Cisco Talos, Croatia [email protected]
    30 September - 2 October, 2020 / vblocalhost.com HUNTING FOR MALWARE WITH COMMAND LINE LOGGING AND PROCESS TREES Vanja Svajcer Cisco Talos, Croatia [email protected] www.virusbulletin.com HUNTING FOR MALWARE WITH COMMAND LINE LOGGING... SVAJCER ABSTRACT Over the years, many detection techniques have been developed, ranging from simple pattern matching to behavioural detection and machine learning. Unfortunately, none of these methods can guarantee users to be fully protected from all types of attacks. This fact is now accepted and many companies, especially medium to large corporations, have established their own in-house security teams specifically tasked with hunting attacks that may have slipped through the cracks of their protection layers. Security operations centres (SOCs) are tasked with collecting, aggregating and analysing large quantities of security data collected from the most valuable organizational assets as well as external threat intelligence data that is used to enrich the context and allow team members to identify incidents faster. When we log Windows events, there are literally hundreds of event types that generate a huge amount of data that can only be analysed using a data analytic platform. Considering the amount of data, which is too large to be handled manually by humans, it is crucial for defenders to know what they should look for in order to reduce the set of data to the point where it can be handled relatively easily by blue team members. One of the data types that can be collected while hunting for new threats is the command line parameters used to launch processes. Logging command lines of executed processes can be a useful second line in detection of unknown malicious attacks as well as in the determination of the root cause of infections during the incident response remediation phase.
    [Show full text]
  • NET Technology Guide for Business Applications // 1
    .NET Technology Guide for Business Applications Professional Cesar de la Torre David Carmona Visit us today at microsoftpressstore.com • Hundreds of titles available – Books, eBooks, and online resources from industry experts • Free U.S. shipping • eBooks in multiple formats – Read on your computer, tablet, mobile device, or e-reader • Print & eBook Best Value Packs • eBook Deal of the Week – Save up to 60% on featured titles • Newsletter and special offers – Be the first to hear about new releases, specials, and more • Register your book – Get additional benefits Hear about it first. Get the latest news from Microsoft Press sent to your inbox. • New and upcoming books • Special offers • Free eBooks • How-to articles Sign up today at MicrosoftPressStore.com/Newsletters Wait, there’s more... Find more great content and resources in the Microsoft Press Guided Tours app. The Microsoft Press Guided Tours app provides insightful tours by Microsoft Press authors of new and evolving Microsoft technologies. • Share text, code, illustrations, videos, and links with peers and friends • Create and manage highlights and notes • View resources and download code samples • Tag resources as favorites or to read later • Watch explanatory videos • Copy complete code listings and scripts Download from Windows Store Free ebooks From technical overviews to drilldowns on special topics, get free ebooks from Microsoft Press at: www.microsoftvirtualacademy.com/ebooks Download your free ebooks in PDF, EPUB, and/or Mobi for Kindle formats. Look for other great resources at Microsoft Virtual Academy, where you can learn new skills and help advance your career with free Microsoft training delivered by experts.
    [Show full text]
  • Het Schoonepc E-Boek Voor Windows
    Het SchoonePC boek Computerbijbel voor Windows 8.1 20e druk Menno Schoone www.schoonepc.nl Het SchoonePC Boek - Windows 8.1 Voor meer informatie en bestellingen: website: www.schoonepc.nl e-mail: [email protected] Het SchoonePC Boek: Computerbijbel voor Windows 8.1 1e druk april 2006, 20e herziene druk april 2015 (3e editie Windows 8.1) Teksten: R.M. Schoone Redactie en zetwerk: A.D. Schoone Ontwerp omslag: Ruud Nederpelt Druk- en bindwerk: Optima Grafische Communicatie Copyright © 2001-2015 SchoonePC, geregistreerd bij de KvK Rotterdam Alle rechten voorbehouden. Alle auteursrechten en databankrechten ten aanzien van deze uitgave worden uitdrukkelijk voorbehouden. Deze rechten berusten bij SchoonePC. Behoudens de in of krachtens de Auteurswet 1912 gestelde uitzonderingen, mag niets uit deze uitgave worden verveelvoudigd, opgeslagen in een geautomatiseerd gegevensbestand of openbaar gemaakt in eni- ge vorm of op enige wijze, hetzij elektronisch, mechanisch, door fotokopieën, opnamen of enige andere manier, zonder voorafgaande schriftelijke toestemming van de uitgever/auteur. Voor het overnemen van een gedeelte van deze uitgave ten behoeve van commerciële doeleinden dient men zich te wenden tot de uitgever/auteur. Hoewel deze uitgave met de grootste zorg is samengesteld, kan SchoonePC geen aansprakelijkheid aanvaarden voor de gevolgen van eventueel hierin voorkomende onjuistheden of onvolkomenheden. Het gebruik van de informatie is volledig op eigen risico. Voorwoord Mag ik mij even voorstellen? Ik ben Menno Schoone, auteur en beheerder van de website www.SchoonePc.nl en uitgever van het boek dat nu voor u ligt. Mijn web- site bevat een uitgebreide handleiding voor het (her)installeren, optimaliseren, be- veiligen, onderhouden en gebruik van Windows.
    [Show full text]