Security researchers have found a way to reverse the effects of an NSA hacking utility that deletes event logs from compromised machines.
Last week, Fox-IT published a Python script that recovers event log entries deleted using the “eventlogedit” utility that’s part of DanderSpritz, a supposed NSA cyber-weapon that was leaked online by a hacking group known as the Shadow Brokers.
According to Fox-IT, they found a flaw in the DanderSpritz log cleaner when they realized the utility does not actually delete event log entries, but only unreferences them, merging entries together.
By default, DanderSpritz will merge one or more “compromising” log entries with the clean log entry before it.
When the Windows Event Log app reads a doctored log file, it will read the clean version, see the end tag, and ignore all the content of the unreferenced “bad” events.
This nifty trick allows attackers to hide malicious actions on compromised machines. Using Fox-IT’s new danderspritz-evtx script, investigators can now rebuild the original log file and trace the attacker’s footprints.
The script is available on GitHub and is a must for people investigating compromised machines.
Because DanderSpritz has been leaked for more than half of year, this means that more than NSA operatives are using it today, and some cyber-criminal organizations and malware families might have integrated the technique at the heart of the “eventlogedit” component in their own arsenals.
What is DanderSpritz
DanderSpritz is a post-compromise exploitation framework that includes many other utilities besides the ability to clean logs. The NSA usually used it together with FuzzBunch, an exploitation framework.
NSA operatives would use FuzzBunch to load and run exploits on targeted computers, and later deploy DanderSpritz to find and extract sensitive data, spread to nearby computers, and remove any traces of compromise.
“Think of it as the nation state version of Metasploit’s Meterpreter but with automated Anti-Virus detection & avoidance, and ton of (previously) undetectable tools to dump passwords, gather information, gain persistence, and move laterally,” Francisco Donoso, a researcher for Kudelski Security wrote about DanderSpritz last May.