Notifications
Clear all

Those "someone is spying on me" cases

8 Posts
4 Users
0 Likes
549 Views
(@s2_james)
Posts: 4
New Member
Topic starter
 

Bottom Line Up Front How to automate the phase one level investigation of a system for targeted monitoring.

Situation We all get these cases, you know the one where the client swears that someone must be "hacking" them or otherwise monitoring their communications. These cases range from seriously high conflict situation where anything is possible… down to emotionally troubled individuals who may or may not have an actual vulnerability.

Roughly speaking it has been my experience that 50% of these cases are false alarms, 40% have had a account such as iCloud compromised (normally due to weak or shared passwords), 9% are legit but the tools being used are common commercial off the shelf (COS) "monitoring" programs like EliteKeyLogger or Spyrix…. then maybe 1% involve a technologically skilled adversary who uses more "legit" penetration tools.

Goal Acquire or Develop a set of search terms and artefacts to facilitate a rapid triage of these cases. I am interested in an "open source" style effort here… meaning that I am willing to share the full project with anyone who contributes and possible the community as a whole depending on the response.

Forensic Systems I am normally using Cellebrite, Backlight, or FTK for these types of cases… However I want to ensure that these tool can work across multiple platforms.

So how do we define a 'Saved Search' / 'Watch List' / etc… that can be a one click and go search for any current or historical installation of the main stream monitoring tools? What should be included in this list? Additionally how can we include a search of common remote access protocols/programs by searching for logs that document instances of access? Lets start basic and grow in complexity of attack…. i.e. develop for COS threats first then add capabilities to search for more sophisticated attacks.

I am open to any and all ideas here. Please comment and contribute at will.

Thanks,
James

 
Posted : 16/08/2018 6:36 pm
(@kenobyte)
Posts: 36
Eminent Member
 

Can you create a hash database of known tool lets say the more commercial tools and run comparisons at least for those commercially distributed?

 
Posted : 16/08/2018 8:54 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Goal Acquire or Develop a set of search terms and artefacts to facilitate a rapid triage of these cases. I am interested in an "open source" style effort here… meaning that I am willing to share the full project with anyone who contributes and possible the community as a whole depending on the response.

Can you start by sharing the search terms and artifacts that you already have, from the cases you've done, here?

That might be a good start.

Thanks.

 
Posted : 16/08/2018 9:49 pm
(@s2_james)
Posts: 4
New Member
Topic starter
 

Absolutely, So right now I start with just running a very standard search that includes the below list of of keywords. The problem with this is that it returns thousands (sometimes tens of thousands) of false positives since these keywords show up randomly more often than you would think.

Then if the above doesn't return any actionable intel, I manually review images on the system since a lot of programs store tons of screenshots.

Then I manually review all installed apps and executables that are on a system and individually research any that I don't know are not monitoring apps.

Then I run the automated malware utilities in the given forensic tool and manually review those results.

Then I look and desktop sharing applications and protocols for logs of access and file transfer.

Lastly I look at things like FTP and SSH logs…

So as you can see I suck at this… Or at lets I feel like I suck at this, since I know/feel that I am going about this the worst way possible.

Keywords
keylogger
logger
blackbox
ardamax
refog
revealer
danusoft
spyrix
elite
aobo
mspy
spybubble
mobistealth
flexispy
spyera
truthspy
highster
phonesheriff
ispyoo
fireworld

 
Posted : 17/08/2018 8:19 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Absolutely, So right now I start with just running a very standard search that includes the below list of of keywords. The problem with this is that it returns thousands (sometimes tens of thousands) of false positives since these keywords show up randomly more often than you would think.

Okay, this is a good start…

I'm not sure that I'd agree with "randomly"…the reason being that I can't remember having seen any keyloggers that include the word "keylogger" in the code. Usually, based on my experience, such things pop up in AV software updates.

Then if the above doesn't return any actionable intel, I manually review images on the system since a lot of programs store tons of screenshots.

Interesting idea.

Then I manually review all installed apps and executables that are on a system and individually research any that I don't know are not monitoring apps.

Okay.

Then I run the automated malware utilities in the given forensic tool and manually review those results.

What are "the automated malware utilities in the given forensic tool"?

Then I look and desktop sharing applications and protocols for logs of access and file transfer.

Okay.

Lastly I look at things like FTP and SSH logs…

So, you get a lot of servers to examine? I ask, b/c I usually see things like FTP logs on FTP servers.

So as you can see I suck at this… Or at lets I feel like I suck at this, since I know/feel that I am going about this the worst way possible.

The good news is that you appear to have a documented (even if it's just what you wrote above), repeatable procedure. In my experience, most DFIR folks don't document anything, so nothing is "repeatable". The fact that you have something makes it oh, so much easier to work with…

That being said, I can remember getting cases like this myself. Very often, it was someone from HR saying that their computer had been hacked, b/c people outside of HR were aware of lay-offs…dates, locations, even individual names. It turned out that the computer wasn't hacked…one of the HR reps would send something to the printer before lunch but not pick it up until after lunch. We found that the issue was really much simpler…people were finding the stuff sitting by the printer and making copies of the files.

Anywho, the type of case you're looking at is one of the most challenging, as very often, it becomes a case of "how do I prove a negative"? The key to this is to have a very thorough process for conducting analysis, one that you can go through and update, as necessary.

I'd start with mounting the image of the system (FTK Imager would allow this…), and scan it with Windows Defender, updated just before the scan. I suggest Defender, because it gives me fits when I'm doing research…it catches things like APTSimulator, the China Chopper web shell, etc.

From there, I'd look into some sort of hash analysis.

You might also consider Yara, as well. See if you can find any rules specific to spyware.

Continue looking at images, although under the circumstances, I'd focus specifically on folders with a large number of images, rather than manually reviewing all images on the system.

Again, this is a very difficult type of case to address, as (in my experience) there often isn't anything to be found on the computer system. I would suggest that anytime you do find something, document it thoroughly, and update your process.

HTH

 
Posted : 18/08/2018 10:55 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

In my experience, most DFIR folks don't document anything, so nothing is "repeatable". The fact that you have something makes it oh, so much easier to work with…

That being said, I can remember getting cases like this myself. Very often, it was someone from HR saying that their computer had been hacked, b/c people outside of HR were aware of lay-offs…dates, locations, even individual names. It turned out that the computer wasn't hacked…one of the HR reps would send something to the printer before lunch but not pick it up until after lunch. We found that the issue was really much simpler…people were finding the stuff sitting by the printer and making copies of the files.

And those someones in HR are the ones that actually hire those DFIR folks 😯 .
The circle is closed wink .

jaclaz

 
Posted : 18/08/2018 1:26 pm
(@s2_james)
Posts: 4
New Member
Topic starter
 

Ok first thing first… I would love to derail my own thread and just hate on HR trying to hire technical experts…. It would be far cheaper than the therapy I feel like I need after dealing with them…. OK RANT OVER… before I get fired up…

Let me address the latest comments (in no specific order)

1.) Thank you for the compliments, documentation and repeatability are everything to any scientific effort.
2.) You are correct that these are some of the lest rewarding and most challenging cases out there…. Reason range from the client to the difficulties of proving a negative.
3.) No I don't get a lot of servers, HOWEVER, burnt hands remember best… I have had 2 cases (not being sarcastic here when I say an amazingly high number) where the system had OpenSSH on it and was being accessed that way so that the attacker could access it remotely without alerting the end user… I have also had 7 cases where a Remote Desktop Protocol was being used… SO…. Now all system get a look under the hood for that type of stuff since I don't ever want to have to file an E&O claim with my insurance for my laziness.

Hash Sets — I am going to eat humble pie with my coffee this morning and publicly disclose that I have no idea how to pick a data point in a program that I know will be the same on ever install of that program and then make a hash of that item that I could then search for…. HELL I DON'T EVEN KNOW IF THAT IS WHAT WHAT WE TALKING ABOUT? I could be misunderstanding the issue all together… Meaning I don't know how to make a hash list looking for software at all!!!! Further more…. and of course baby steps first, while building a hash list to find currently installed software is of the up-most importance, I am even more excited about finding/building a hash list to detect previously installed software.

So if anyone is willing to educate me on this then I am all ears/eyes.

ALSO — For those of you just joining us, feel free to jump in at any point and at any level… I am interested in all ideas related to this issue.

James

 
Posted : 19/08/2018 2:07 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Ok first thing first… I would love to derail my own thread and just hate on HR trying to hire technical experts…. It would be far cheaper than the therapy I feel like I need after dealing with them…. OK RANT OVER… before I get fired up…

Yep D , JFYI (I promise I won't provide further distractions after this)
https://www.forensicfocus.com/Forums/viewtopic/t=13579/

jaclaz

 
Posted : 19/08/2018 5:07 pm
Share: