Script retrieves event logs modified by NSA hacking tool

Security researchers have found a way to reverse the effects of an NSA hacking tool that removes event logs from compromised machines.

Fox-IT published a Python script that retrieves entries from the deleted event log using the "eventlogedit" utility that is part of DanderSpritz , an alleged NSA cyber weapon that was leaked online by a piracy group known as Shadow Brokers.

According to Fox-IT, they found an error in the DanderSpritz registry cleaner when they realized that the utility did not erase the entries in the event log, but deleted them, merging the entries

By default, DanderSpritz will merge one or more "compromising" registry entries with the previous clean registry entry.

When the Windows Event Log application reads an adulterated log file, it will read the clean version, see the final label, and ignore all the contents of the "incorrect" events without reference.

This ingenious trick allows attackers to hide malicious actions on compromised machines. Using the new Fox-IT danderspritz-evtx script , researchers can now reconstruct the original log file and track the attacker's fingerprints.

The script is available on GitHub and is essential for people investigating compromised machines.

Because DanderSpritz has been leaked for more than half the year, this means that more NSA agents are using it today, and some organizations of cybercriminals and malware families might have integrated the technique into the heart of the "eventlogedit" component. in their own arsenals.

What is DanderSpritz

DanderSpritz is a post-exploit exploitation framework that includes many other utilities in addition to the ability to clean records. The NSA usually used it together with FuzzBunch, an exploitation framework.

NSA agents would use FuzzBunch to load and run exploits on specific computers, and then implement DanderSpritz to search and extract confidential data, spread it to nearby computers and eliminate any traces of compromise.

"Think of it as the Metasploit Meterpreter version of the nation state but with automatic detection and evasion of Antivirus and a ton of (previously) undetectable tools to dump passwords, gather information, gain persistence and move laterally", Francisco Donoso, researcher for Kudelski Security He wrote about DanderSpritz last May.

Mode of use

user @ computer: $ $ ./danderspritz_evtx.py -h 
usage: danderspritz_evtx.py [-h] -i INPUT_PATH [-o OUTPUT_PATH] 
[-e EXPORT_PATH] 

danderspritz_evtx.py - Parse evtx files and detect the use of the danderspritz 
module that deletes evtx entries 

optional arguments: 
-h, --help show this help message and exit 
-i INPUT_PATH, --input INPUT_PATH 
Path to evtx file 
-o OUTPUT_PATH, --output OUTPUT_PATH 
Path to corrected evtx file 
-e EXPORT_PATH, - export EXPORT_PATH 
Path to location to store exported xml records

Export

user @ computer: $ $ ./danderspritz_evtx.py -i Security.evtx -o Security_fixed.evtx -e Security_export.xml 
Reading records from Security.evtx ... 
Found a deleted record within record number 2112 at offset 0x1EA0 
Found a deleted record Within record number 2112 at offset 0x1CD8 
Found a deleted record Within record number 2112 at offset 0x1B30 
Found a deleted record Within record number 2112 at offset 0x1240 
Found a deleted record Within record number 2112 at offset 0x0618 
Found a deleted record Within record number 2112 at offset 0x01E8 
Found a deleted record within record number 2113 at offset 0x08C0

Download Click Here