When the Shadow Brokers released numerous hacking tools and exploits designed by the NSA-linked Equation Group, a lot of attention was given to the EternalBlue exploit. This was particularly the case in May this year when the EternalBlue exploit was leveraged with the WannaCry ransomware. The event made news headlines globally and managed to shut down large sections of the British National Health Service. With last year’s release of NSA tools there was one particularly nasty piece of malware, DanderSpritz.
The DanderSpritz framework was designed to be used by the Equation Group after a machine or network was successfully compromised. The framework included several tools for data gathering, gaining persistence, and moving laterally within an environment. It was seen as a far more sophisticated nation-state version of Metasploit’s Meterpreter. One of the tools that was particularly nasty within the framework was the "eventlogedit" utility, which could be used to delete log entries.
Researchers Develop Python Script to Recover Deleted Logs
Last week, Fox-IT published a Python script that recovers event log entries deleted using the "eventlogedit" utility. According to Fox-IT, a flaw was found in the DanderSpritz log cleaner when they realized the utility does not actually delete event log entries. The logs were only unreferenced, merging entries together rather than deleting them.
Put simply DanderSpritz merges one or more "compromising" log entries with the clean log entry preceding it. When the Windows Event Log Viewer reads a doctored log file, it only parses the information contained between the first start and end tags, ignoring all information that proceeds it, and thus the “compromising” event log. While the logs are never truly deleted, the nifty abuse of the Windows Event Log Viewer allows attackers to hide malicious actions on compromised machines.
Dangers Posed by DanderSpitz
The Python script created by Fox-IT will enable investigators to rebuild the original log file and trace the attacker's footprints. The script has been made available on GitHub and should be seen as a helpful tool for investigating compromised machines.
It is important to note that DanderSpritz has been available in the wild for over a year already, meaning the NSA will not be using it. However, cyber-criminal organizations and malware families might have integrated the technique at the heart of the "eventlogedit" component in their own arsenals.