Microsoft Attack Surface Analyzer

Posted: 08/08/2012 in Uncategorized
Tags: ,


Microsoft’s Free Security Tools – Series Introduction

Tools are designed to make IT Professionals’ and Developers’ lives easier.  A good tool can save a lot of work and time for those people responsible for developing and managing software.  I thought I’d write a series of articles dedicated to highlighting some of the most useful free security-related tools Microsoft offers.

Over the years I developed several networking and security support tools that became popular with IT Professionals.  Some of these tools were released in various Resource Kits and Support Tools offerings included with some versions of Windows operating systems.  These tools include DNSLintPortqry,NBLookup, and many others.

Two of the most popular security-related tools that I developed were Port Reporter and Port Reporter Parser.  

Port Reporter runs as a service (in the background with no user interaction) and logs all the network usage and related details such as the IP addresses the system is communicating with, the TCP and UDP ports that are used, the processes running on the system that use the ports, whether each process is a service (some attackers like to use services vs apps), the modules (.dll, etc) that each process using network ports loaded, the user accounts that start processes using the network. 

This type of data is very helpful when determining what users, services, applications used the network and which remote systems were involved.  This data and the context it provides are also very helpful in incident response investigations.  For example, you could use this data to identify patterns of network usage that could help spot a compromised system being used for exfiltration of information from an environment. On a busy server in a data center, Port Reporter can generate a lot of data, so much data that I needed to provide an easy way to read and analyze the data.

Figure: Example of a log file generated by Port Reporter

Port Reporter Parser correlates and analyzes the data contained in the log files that Port Reporter generates.  Once the data was in this tool it enabled you to look for tell-tale signs of compromise, many different ways.

Figure on left: Port Reporter Parser spots a trick attackers used to use – naming a hacker tool the same name as a well-known system file, but running it from a slightly less restricted directory hoping the system administrator wouldn’t notice; figure on right: a binary that system administrators were looking specifically for is identified using the network

Top figure: example of the applications the system uses and how often they are logged by Port Reporter helps to identify which ones are most commonly used; bottom figure: all services that are hosted by svchost.exe – another trick attackers used to use to hide malicious processes

When the right queries were run on this data, you could get very interesting and useful information that would help detect threats and respond to them.  This granular data, together with firewall logs, could offer a very good view of what was actually happening on a network: which users were using it, when and how, what applications and services were running under each user’s account, and which dynamic load libraries and modules those applications had loaded in memory at the time.  From there, you could create baselines based on “routine” patterns of network traffic and application behavior so that anomalies could be identified.

Today there are newer, more sophisticated and scalable tools for collecting this type of information, and of course much, much more data available.  But Port Reporter can still help organizations that are running older operating systems like Windows XP Service Pack 3 and Windows Server 2003.  Many years ago when I developed these tools, I wrote an article about them in case you are interested in more detail. 

But are organizations really aggregating and analyzing all the data, like audit logs for example, that they have access to?  Most of the customers I have talked to say they simply don’t have the time or resources to do this.  But using this type of data from systems across an organization, along with data from other parts of the organization, and data from elsewhere, could be very powerful in helping to detect and respond to threats earlier and faster than ever. 

Recently all the buzz around big data, security breaches and targeted attacks have peaked many people’s interest in how they can mine the vast amounts of data they have and collaborate with other organizations in order to better protect their environments. Aggregating and analyzing vast amounts of data, looking for signs of compromise so that containment and recovery starts and ends earlier is what many of the people I talk to are interested in.

Microsoft’s Free Security Tools – Attack Surface Analyzer

Attack Surface Analyzer can help software developers and Independent Software Vendors (ISVs) understand the changes in Windows systems’ attack surface resulting from the installation of the applications they develop.  It can also help IT Professionals, who are responsible for managing the deployment of applications or the security of desktops and servers, understand how the attack surface of Windows systems change as a result of installing software on the systems they manage.  Some use cases include: 

  • Developers can use the tool to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
  • IT Professionals can use the tool to assess the aggregate attack surface change by the installation of an organization’s line of business applications
  • IT Security Auditors can use the tool to evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
  • IT Security Incident Responders can potentially use the Attack Surface Analyzer to gain a better understanding of the state of a system’s security during investigations (if a baseline scan was taken of the system during the deployment phase)

This tool essentially allows you to take a “snap shot” of a bunch of security related information on a system.  Then after the system changes, you can take another “snap shot” and the tool will compare the before and after “snap shots” and show you what changed in an HTML report.  The security related information captured in a snap shot includes:

  • System Information
    • Running Processes
    • Executable Memory Pages
    • Windows
    • Impersonation Tokens
    • Kernel Objects
    • Modules
  • Network Information
    • Network Ports
    • Named Pipes
    • RPC Endpoints
  • System Environment, Users, Groups
    • Accounts
    • Groups
    • Group Membership 

Figure: an example of an Attack Surface Analyzer report

The “Security Issues” tab highlights specific potential issues such as access control lists (ACLs) that could be problematic.  The “Attack Surface” tab provides insight into what has changed on the system and how the attack surface of the system has been altered.

You can download the Attack Surface Analyzer version 1.0 for free from


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: