A tool is available that allows investigators detect the use of specific NSA-linked malware and recover event log data, researchers said.
Shadow Brokers published several tools and exploits stolen from the Equation Group, cyberspies believed to be working for the U.S. National Security Agency (NSA).
One of the tools released by Shadow Brokers was DanderSpritz, a post-exploitation framework that allows hackers to harvest data, bypass and disable security systems, and move laterally within a compromised network.
One of the plugins that is a part of the tool is EventLogEdit, which can manipulate Windows Event Log files to help attackers cover their tracks.
“Eventlogedit appeared to be more sophisticated,” said Fox-IT researchers in a post. “Investigative methods able to spot other methods of event log manipulation were not able to show indicators of edited log files after the use of eventlogedit. Using eventlogedit, an attacker is able to remove individual event log entries from the Security, Application and System log on a target Windows system.”
Fox-IT researchers found a way to determine if EventLogEdit has been used on a system, and even recover the event log entries that it removed.
Fox-IT was able to create a Python script to detect the use of eventlogedit and fully recover the removed event log entries by the attacker.
“When eventlogedit is used, the to-be-removed event record itself isn’t edited or removed at all: the record is only unreferenced,” the researchers said. “This is achieved by manipulation of the record header of the preceding record. Eventlogedit adds the size of the to-be-removed-record to the size of the previous record, thereby merging the two records. The removed record including its record header is now simply seen as excess data of the preceding record,” researchers said. “You might think that an event viewer would show this excess or garbage data, but no. Apparently, all tested viewers parse the record binXml message data until the first end-tag and then move on to the next record.”
The removed records should end up seen by organizations that send logs on the fly to a central server, but sophisticated attackers are likely to hijack that machine as well in an effort to hide their activities, researchers said.
Since the EventLogEdit tool leaves the removed record and record header in their original state, full recovery of the data is possible.