Internally known as "Log Jam", this Unicode data reflection in Windows Events allows for potential halting of log/event analysis and 3rd party processing and forwarding when utilizing the XML export feature. Deemed a potential detection evasion technique.
- Windows 10 Version 2004 x64 (OS Build 19041.572) en-us
- Windows 10 Version 20H2 x64 (OS Build 19042.630) en-us
- Microsoft Windows Server 2019 Datacenter x64 (6.3 build 17763)
When calling EvtRender/EvtFormatMessage using the EvtRenderEventXml format flag, data is returned and the total size of the buffer is returned; however, when using wcslen, rather than relying on the total size returned, it does not return the correct size of the buffer. In the following example, the value returned from wcslen(pRenderedContent) does not equal dwBufferUsed.
EvtRender(NULL, hEvent, EvtRenderEventXml, dwBufferSize, pRenderedContent, &dwBufferUsed, &dwPropertyCount)
Per online example here, the code found in the function "DWORD PrintEvent(EVT_HANDLE hEvent)" is impacted as well at line 35, demonstrated by an incomplete xml document. Additionally, the same thing is impacted here.
If an attacker is able to control any property that is written to the event log, whether locally or remotely, can potentially hide additional data for investigation. Windows Event Viewer is also impacted when viewing the XML tab. Furthermore, it can potentially halt the log forwarding of 3rd party products such as Snare, OSSEC, and potentially many others; however, further testing has not been performed. This issue was initially found within our own MDR production deployment affecting the Event/Log forwarding tool for Windows (HAWK vTTACᵀᴹ), and was then further researched.
The following characters are able to simply re-create the issue; however, many more exist:
Proof of concept can be achieved by running one of the following commands:
calc.exe \x02\x10 calc.exe \x02\x11 calc.exe \x02\xff // will hide "find me" calc.exe \x20\x0B\x01\xff\x20\x0B\x01\xfff\x01\xffi\x01\xffn\x01\xffd \x01\xffm\x01\xff2e\x01\xff
Once the proof of concept has executed, it can be verified by opening up
eventvwr.msc and selecting the Security option beneath "Windows Logs" and finding the event that coincides with the Process Creation for calc.exe.
Clicking Details tab and selecting XML view to show the formatting and content failure.
The HAWK vTTACᵀᴹ agent detects these types of malicious data injection attacks, and alert on them. To guarantee the original content is preserved for analysis, we sanitize the data and replace it with its hex representation.
HAWK vTTACᵀᴹ complements existing ERD solutions by focusing on closing the gap of missing telemetry, providing an end to end MDR log, all in one security and investigation tool. Coupled with SOAR and real-time DFIR investigation, vTTACᵀᴹ will reduce not only investigation times, but accelerate SOAR response.
Learn more at HAWK.io