aalfaifi Jan 09, 2023 15:51 0 1

Exploring Windows Artifacts : $Security Artifact

TLDR; $SDS is an artifact for NTFS file systems. This artifact contain security descriptors to all files and folders on the drive, which means it will contain information of the file owner and permissions of the file. I also wrote a Rust 🦀 parser for this artifact that you can download from my Github


Hello there! It has been a while since I wrote a blog, but I have been busy with other projects 🙂

NTFS has a file called $Secure that contains security descriptors for all files on the system. $Secure contains three streams with each stream containing different data to help retrieve the security descriptor for specific file. The following are the data streams for $Secure with there description:

  • $SDH: Contains security descriptor hash and offset lookup in $SDS stream
  • $SII: Contains security ID and offset lookup in $SDS stream. Security ID can be retrieved from the security ID field in $STANDARD_INFORMATION attribute present in every MFT record
  • $SDS: Contains all security descriptors for all files and directories on the volume

$SDS Stream

The $SDS contains the most important data for digital forensics. This attribute contains a list of security descriptor with each security descriptor containing the following data:

  • Object owner SID
  • Object group SID
  • Object Discretionary Access Control List (DACL), identify the users and groups that are assigned or denied access permissions on an object
  • Object System Access Control List (SACL), SACLs makes it possible to monitor access to secured objects

$SDS Structure

OffsetSizeTypeDescription
04u32Security descriptor hash
44u32Security descriptor identifier, can be retrieve from MFT record in the $STANDARD_INFORMATION attribute
88u64Security descriptor data offset (in $SDS)
164u32Security descriptor data size (in $SDS)
20-Security Descriptor StructSecurity descriptor struct data
---16 bit alignment padding

How to find security descriptor for MFT record?

Retrieve the security ID from $STANDARD_INFORMATION attribute in MFT record then parser the $SDS and lookup the security ID from the MFT record in the ID field in the $SDS record. The following is an example MFT record along with the corresponding security descriptor from $SDS:

MFT record (parsed using https://github.com/omerbenamram/mft):

  1. {
  2.     "header": {
  3.         "signature": [
  4.             70,
  5.             73,
  6.             76,
  7.             69
  8.         ],
  9.         "usa_offset": 48,
  10.         "usa_size": 3,
  11.         "metadata_transaction_journal": 580089845936,
  12.         "sequence": 306,
  13.         "hard_link_count": 1,
  14.         "first_attribute_record_offset": 56,
  15.         "flags": "ALLOCATED",
  16.         "used_entry_size": 384,
  17.         "total_entry_size": 1024,
  18.         "base_reference": {
  19.             "entry": 0,
  20.             "sequence": 0
  21.         },
  22.         "first_attribute_id": 5,
  23.         "record_number": 170557
  24.     },
  25.     "attributes": [
  26.         {
  27.             "header": {
  28.                 "type_code": "StandardInformation",
  29.                 "record_length": 96,
  30.                 "form_code": 0,
  31.                 "residential_header": {
  32.                     "index_flag": 0
  33.                 },
  34.                 "name_size": 0,
  35.                 "name_offset": null,
  36.                 "data_flags": "(empty)",
  37.                 "instance": 0,
  38.                 "name": ""
  39.             },
  40.             "data": {
  41.                 "created": "2021-01-23T14:40:32.114948Z",
  42.                 "modified": "2021-01-23T14:42:17.245694Z",
  43.                 "mft_modified": "2021-01-23T14:42:17.245694Z",
  44.                 "accessed": "2022-07-16T00:04:01.549904Z",
  45.                 "file_flags": "FILE_ATTRIBUTE_ARCHIVE",
  46.                 "max_version": 0,
  47.                 "version": 0,
  48.                 "class_id": 0,
  49.                 "owner_id": 0,
  50.                 "security_id": 4538,
  51.                 "quota": 0,
  52.                 "usn": 38532584952
  53.             }
  54.         },
  55.         {
  56.             "header": {
  57.                 "type_code": "FileName",
  58.                 "record_length": 112,
  59.                 "form_code": 0,
  60.                 "residential_header": {
  61.                     "index_flag": 1
  62.                 },
  63.                 "name_size": 0,
  64.                 "name_offset": null,
  65.                 "data_flags": "(empty)",
  66.                 "instance": 2,
  67.                 "name": ""
  68.             },
  69.             "data": {
  70.                 "parent": {
  71.                     "entry": 5,
  72.                     "sequence": 5
  73.                 },
  74.                 "created": "2021-01-23T14:40:32.114948Z",
  75.                 "modified": "2021-01-23T14:40:32.114948Z",
  76.                 "mft_modified": "2021-01-23T14:40:32.114948Z",
  77.                 "accessed": "2021-01-23T14:40:32.114948Z",
  78.                 "logical_size": 0,
  79.                 "physical_size": 0,
  80.                 "flags": "FILE_ATTRIBUTE_ARCHIVE",
  81.                 "reparse_value": 0,
  82.                 "name_length": 8,
  83.                 "namespace": "Win32AndDos",
  84.                 "name": "test.txt"
  85.             }
  86.         },
  87.         {
  88.             "header": {
  89.                 "type_code": "ObjectId",
  90.                 "record_length": 40,
  91.                 "form_code": 0,
  92.                 "residential_header": {
  93.                     "index_flag": 0
  94.                 },
  95.                 "name_size": 0,
  96.                 "name_offset": null,
  97.                 "data_flags": "(empty)",
  98.                 "instance": 3,
  99.                 "name": ""
  100.             },
  101.             "data": {
  102.                 "object_id": "3C783C19-5D7C-11EB-BE9B-5076AFA95947",
  103.                 "birth_volume_id": null,
  104.                 "birth_object_id": null,
  105.                 "domain_id": null
  106.             }
  107.         },
  108.         {
  109.             "header": {
  110.                 "type_code": "DATA",
  111.                 "record_length": 32,
  112.                 "form_code": 0,
  113.                 "residential_header": {
  114.                     "index_flag": 0
  115.                 },
  116.                 "name_size": 0,
  117.                 "name_offset": null,
  118.                 "data_flags": "(empty)",
  119.                 "instance": 1,
  120.                 "name": ""
  121.             },
  122.             "data": "5445535431"
  123.         }
  124.     ],
  125.     "valid_fixup": true
  126. }

$SDS record:

  1. {
  2.     "hash": 3193908388,
  3.     "id": 4538,
  4.     "security_descriptor": {
  5.         "owner_sid": "S-1-5-32-544",
  6.         "group_sid": "S-1-5-21-412210041-3083678082-150370041-513",
  7.         "dacl": {
  8.             "revision": 2,
  9.             "count": 4,
  10.             "entries": [
  11.                 {
  12.                     "ace_type": "ACCESS_ALLOWED",
  13.                     "ace_flags": "(empty)",
  14.                     "data": {
  15.                         "access_rights": 2032127,
  16.                         "sid": "S-1-5-32-544"
  17.                     }
  18.                 },
  19.                 {
  20.                     "ace_type": "ACCESS_ALLOWED",
  21.                     "ace_flags": "(empty)",
  22.                     "data": {
  23.                         "access_rights": 2032127,
  24.                         "sid": "S-1-5-18"
  25.                     }
  26.                 },
  27.                 {
  28.                     "ace_type": "ACCESS_ALLOWED",
  29.                     "ace_flags": "(empty)",
  30.                     "data": {
  31.                         "access_rights": 1179817,
  32.                         "sid": "S-1-5-32-545"
  33.                     }
  34.                 },
  35.                 {
  36.                     "ace_type": "ACCESS_ALLOWED",
  37.                     "ace_flags": "(empty)",
  38.                     "data": {
  39.                         "access_rights": 1245631,
  40.                         "sid": "S-1-5-11"
  41.                     }
  42.                 }
  43.             ]
  44.         },
  45.         "sacl": {
  46.             "revision": 2,
  47.             "count": 1,
  48.             "entries": [
  49.                 {
  50.                     "ace_type": "SYSTEM_MANDATORY_LABEL",
  51.                     "ace_flags": "(empty)",
  52.                     "data": {
  53.                         "access_rights": 1,
  54.                         "sid": "S-1-16-12288"
  55.                     }
  56.                 }
  57.             ]
  58.         }
  59.     }
  60. }

From the records above we can see that the file named test.txt is owned by the user with the SID S-1-5-32-544 (Administrators)  and the group with SID S-1-5-21-412210041-3083678082-150370041-513 (Users)

What is the significance of this artifact?

Here are some examples of how $SDS artifact will help during Digital Forensics analysis:

  • You have a malicious file deleted by the adversary, but the $MFT record of the file is still present? You can use the $SDS artifact to find the user that created this malicious file and mark that user as compromised to detect other artifacts generated by this user
  • You found a webshell on a web server and wondered how it was dropped? You can check the $SDS artifact for the file owner to see if it is the web server process or another user. If it is the web server user, that likely means the adversary exploited a vulnerability in the web server and dropped the webshell. Otherwise, the webshell might have been dropped on the server by other means as a persistence
  • Some crypto miners manipulate their files' permissions to prevent other processes from accessing them. The $SDS artifact will help you to check the file permissions in an offline analysis

From the above examples, you can see how the $SDS artifact could be helpful during analysis.

SDSParser

I developed a parser in Rust 🦀 to parser the $SDS stream, You can download sds_parser from Github 

Build

To build from source make sure you have Rust installed then run the following commands:

  1. git clone https://github.com/AbdulRhmanAlfaifi/SDSParser-rs
  2. cd SDSParser-rs
  3. cargo build --release

You will find the compiled binary at target/release/sds_parser

Use pre-compiled binaries

You can also use the pre-compiled binaries in the release section

References

Comments

No Comments - Yet 😁

Write a comment

You need to login to write comments - you can login from HERE or register from HERE

Recent Posts

Categories