Audit Counter-measures Outline
Brant Hashii, Chris Wee
- Intrusion detection relys on audit logs
- Can audit logs be trusted?
- If super-user is trusted?
- If super-user is not trusted?
- Goals of subverting audit logs
- hide the perpetrator
- hide other details of the attack
- hide the attack itself
- Physically damage or steal machine. The baseball bat approach.
- Stick code for misuse in a macro virus. Blame it on the virus. This
runs on the assumption that the punishment for being stupid is less than
the punishment for being evil. In some environments users are separated
from programmers. Macro viruses violates this separation.
- Overload the log file by changing the permissions on a file and repeatedly
attempting to access it. How it is used is dependent on configuration of
- Could crash system.
- Could stop auditing.
- Could overwrite old information.
- Modifing event mappings. Modify registry entries?
- Deleting events out of the audit log while maintaining correct sequence
- NT System-Call hooking can add or change functionality of system calls.
Can this be used to intercept audit system calls? Should be easier to do
with application level audit calls.
- Component Steps
- Get superuser access. Not needed if already a super-user.
- NTsecurity.com - recover admin password < 30 min.
- PWdump recovers MD4 hash. Brute force result.
- IE bugs involving challenge/response.
- NTAccess - changes Administrator password by using special set of boot
- Disable auditing. Either turn it off or intercept audit calls.
- Destroy integrity of audit log. Includes the baseball bat approach.
- Experiments - Used for determing cost effectiveness and how much effort
should be put into securing a resource.
- Implement a few of the scenarios
- Timings? Will they be useful? Is it too dependent on how much other
work the machine is doing?
- Instruction count - how much work the machine must do.
- Effort - how much work the hacker must do.
- Counter Counter Measures
- Division of responisblities. Don't give the superuse the ability to
modify auditing or to run arbitrary applications.
- Cryptographic checksums
- 3rd party authentication
- Will a authentication provide a greater level of security? Will the
key be any more secure than the adminstrative password?
- Hardware authentication.
Brant Hashii / firstname.lastname@example.org
last modified: 4/21/97