Based on a Twitter thread from 19 Feb 2020, during which Phill Moore made the request, I updated RegRipper to check for "dirty" hives, and provided a warning that RegRipper does NOT automatically process Registry transaction logs. This can be an important component of your investigation, and so per Phill's request, I updated RegRipper (both the UI and rip.pl/.exe) to provide the warning, as well as check to see if the hive is 'dirty'.
If you decide that you need to process the transaction logs, there are a couple of options available. One is using yarp (from Maxim Suhanov) along with registryFlush.py (per this blog post). Written in Python, this provides a cross-platform approach, if you need that flexibility. Another method is to use Eric Zimmerman's rla.exe (part of Registry Explorer/RECmd) tool, which is Windows-based.
So, to re-iterate, RegRipper 2.8 does NOT automatically process transaction logs. I haven't developed the code to do so, and there are a number of variables to doing so. For example, the current RegRipper repo contains plugins either intended just for XP systems (i.e., acmru.pl), and also contains plugins that can process data from hives from XP through Win10 (i.e., appcompatcache.pl, shimcache.pl). Transaction logs from older systems (XP, etc.) follow a different format that more modern (Win8.1+) systems, and as such, would require additional code to address those files.
Also, don't forget about the update made to RegRipper on 4 Jan 2020, fixing the issue that began as of 1 Jan 2020 where Registry key LastWrite times were incorrectly reported as "0". The updated code was added to one of the core module files (i.e., Base.pm), which is available in the RegRipper Github repo.
These updates have been "compiled" into the Windows executables for the RegRipper tools (rr.exe, rip.exe), but if you're looking to install RegRipper on Linux, be sure to read the RegRipper readme file and update the Perl modules files according.
Thursday, February 20, 2020
Monday, February 17, 2020
RID Hijacking
I read a fascinating blog post recently that described something called RID hijacking, which can be used as a method for maintaining elevated privileges on a system. The PenTestLabs article not only outlines how to perform RID hijacking manually, but also using MetaSploit, Empire, a Powershell module, and then using the module via POSHC2. In short, there are no shortage of ways to go about performing RID hijacking from an offensive perspective.
But how would this look from a blue team perspective? I made a minor tweak to the output of one of the RegRipper plugins (the data was already available) so that the output appears as follows (run against a SAM hive from a Win2000 system):
Username : Guest [501]
Full Name :
User Comment : Built-in account for guest access to the computer/domain
Account Type :
Account Created : Fri Sep 27 03:32:48 2002 Z
Name :
Last Login Date : Never
Pwd Reset Date : Never
Pwd Fail Date : Sat Aug 25 09:21:50 2012 Z
Login Count : 0
Embedded RID : 501
--> Password does not expire
--> Account Disabled
--> Password not required
--> Normal user account
I added the emphasis on the "Embedded RID" entry. Again, the data itself was available in the plugin, all I did was add the line to display the RID from within the F value data (as described in the PenTestLab article). I also added a bit of logic to compare the embedded value with the RID value from the Username field (in the brackets) and if they aren't same, print out a warning message.
I can't say that I've ever intentionally looked for this sort of thing during an investigation, as there was nothing that pointed to something like RID hijacking having occurred. For example, there were no indications of no suspicious actions involving the Guest account, and subsequently the Guest account being used to log into the system and perform actions requiring Admin privileges.
I have seen threat actors establish multiple means for returning to systems. I've seen threat actors hit an RDP server, enable Sticky Keys, and then create an account, add it to the Administrators group (as well as the Remote Users group) and then add that account to the "SpecialAccounts\UserList" key path so that the icon for the account does not appear on the Welcome screen.
Given that this capability is available, and not only via popular offensive security toolsets, I'd recommend checking for RID hijacking during investigations. Automating the checking means that it's done every time, regardless of who runs the process.
But how would this look from a blue team perspective? I made a minor tweak to the output of one of the RegRipper plugins (the data was already available) so that the output appears as follows (run against a SAM hive from a Win2000 system):
Username : Guest [501]
Full Name :
User Comment : Built-in account for guest access to the computer/domain
Account Type :
Account Created : Fri Sep 27 03:32:48 2002 Z
Name :
Last Login Date : Never
Pwd Reset Date : Never
Pwd Fail Date : Sat Aug 25 09:21:50 2012 Z
Login Count : 0
Embedded RID : 501
--> Password does not expire
--> Account Disabled
--> Password not required
--> Normal user account
I added the emphasis on the "Embedded RID" entry. Again, the data itself was available in the plugin, all I did was add the line to display the RID from within the F value data (as described in the PenTestLab article). I also added a bit of logic to compare the embedded value with the RID value from the Username field (in the brackets) and if they aren't same, print out a warning message.
I can't say that I've ever intentionally looked for this sort of thing during an investigation, as there was nothing that pointed to something like RID hijacking having occurred. For example, there were no indications of no suspicious actions involving the Guest account, and subsequently the Guest account being used to log into the system and perform actions requiring Admin privileges.
I have seen threat actors establish multiple means for returning to systems. I've seen threat actors hit an RDP server, enable Sticky Keys, and then create an account, add it to the Administrators group (as well as the Remote Users group) and then add that account to the "SpecialAccounts\UserList" key path so that the icon for the account does not appear on the Welcome screen.
Given that this capability is available, and not only via popular offensive security toolsets, I'd recommend checking for RID hijacking during investigations. Automating the checking means that it's done every time, regardless of who runs the process.
Saturday, February 15, 2020
Using Intrusion Intelligence
In his book, "Call Sign Chaos", Jim Mattis made the statement that 'your own personal experiences are not enough to sustain you." This statement was made in the context of reading for professional development, and it applies to much more than just warfighting. It also applies equally well in the DFIR field, including DFIR analysis, threat hunting, and developing intrusion intelligence. This is due to the fact that our own experiences are not enough to sustain us, neither as individual analysts nor as teams. None of us want to go to an auto mechanic or a neurosurgeon who stopped their education the moment they received their diploma; as such, it's incumbent upon each of us to further our education and professional development through whatever means works for us. Sometimes, that's as simple as reading...really reading...what someone else has written, and then incorporating what we learn into our own analysis process or methodology.
I recently read this excellent article from the Elastic team regarding their insights into the Gamaredon Group. I found that the article included a good bit of detail, not just in how the Elastic team goes about running down an incident, but also detail with respect to findings written in a manner that can be incorporated into threat hunting and DFIR analysis methodologies with little effort.
I've written and spoken often on the topic of threat actors modifying the target environment to meet their needs. This has been about much more than just modifying the Windows firewall to allow an application to access the Internet; threat actors have been observed making what appear to be subtle changes to target environments, but when those changes are fully understood, they're actually very significant. From enabling systems to store credentials in memory in plain text to disabling security tools, threat actors have been observed making significant modifications to the target environment.
In figure 12 in the Elastic article, we see where, via the macro, the actors modified the infrastructure to permit the execution of untrusted macros, as well as disabled warnings. However, this is nothing new. Mari discussed the VBAWarnings Registry value in Feb, 2016, and the value was mentioned on TechNet as far back as 2012.
As stated in the Elastic article, These small changes can end up having larger implications, and defenders can look for them as symptoms of more serious security issues. This is absolutely the case. The article goes on to identify additional entities that have been observed modifying target environments in a similar manner.
Okay...so what?
Well, there are a number of ways you can make use of this information...and this isn't all of the information from the article. There are a total of 25 figures in the article, and the information discussed above is from three of those figures, two of which are EQL queries. Depending upon the EDR solution you're using, you can monitor for modifications to the Registry, and specifically for that key path, and those values. If you're in a position where you're not able to employ an EDR solution, or if you're limited to just DFIR analysis or retro-active threat hunting, you can check that the values exist, and if so, their data, in order to see if there is or was an issue. If you do find the value data set in accordance with the article, the key LastWrite time may provide a suitable pivot point for analysis.
I recently read this excellent article from the Elastic team regarding their insights into the Gamaredon Group. I found that the article included a good bit of detail, not just in how the Elastic team goes about running down an incident, but also detail with respect to findings written in a manner that can be incorporated into threat hunting and DFIR analysis methodologies with little effort.
I've written and spoken often on the topic of threat actors modifying the target environment to meet their needs. This has been about much more than just modifying the Windows firewall to allow an application to access the Internet; threat actors have been observed making what appear to be subtle changes to target environments, but when those changes are fully understood, they're actually very significant. From enabling systems to store credentials in memory in plain text to disabling security tools, threat actors have been observed making significant modifications to the target environment.
In figure 12 in the Elastic article, we see where, via the macro, the actors modified the infrastructure to permit the execution of untrusted macros, as well as disabled warnings. However, this is nothing new. Mari discussed the VBAWarnings Registry value in Feb, 2016, and the value was mentioned on TechNet as far back as 2012.
As stated in the Elastic article, These small changes can end up having larger implications, and defenders can look for them as symptoms of more serious security issues. This is absolutely the case. The article goes on to identify additional entities that have been observed modifying target environments in a similar manner.
Okay...so what?
Well, there are a number of ways you can make use of this information...and this isn't all of the information from the article. There are a total of 25 figures in the article, and the information discussed above is from three of those figures, two of which are EQL queries. Depending upon the EDR solution you're using, you can monitor for modifications to the Registry, and specifically for that key path, and those values. If you're in a position where you're not able to employ an EDR solution, or if you're limited to just DFIR analysis or retro-active threat hunting, you can check that the values exist, and if so, their data, in order to see if there is or was an issue. If you do find the value data set in accordance with the article, the key LastWrite time may provide a suitable pivot point for analysis.
Thursday, February 13, 2020
Update: Prefetch + Stealth ADS Analysis
Not long ago, I took at look at an image that Dr. Ali Hadi had put together to demonstrate an aspect of digital analysis to his students. Dr. Hadi's blog post describes how the use of the ADSs, particularly when launching programs from ADSs, bypasses "normal" analysis methodologies which can tend to focus on one, or just a few, artifacts. I completely understand and agree with the point that Dr. Hadi made, and wanted to demonstrate the value of analysis that incorporates a corpus of artifacts, or 'artifact clusters'. As we saw in my previous post, there were a number of areas (file system metadata, BAM key, AppCompatCache data, SRUM data) where red flags related to the specific activity could be found, all of which were separate from the artifacts on which Dr. Hadi's article focused.
I decided to take a further look at data sources on the system to see if there were other artifacts that would serve as pivot points in analysis. For example, I found that the AmCache.hve file contained the following entry:
c:\users\ieuser\desktop\creepy\welcome.txt:putty.exe
LastWrite: Sun May 26 08:41:35 2019
Hash: 2662d1bd840184ec61ddf920840ce28774078134
Interestingly, the hash maintained in the AmCache entry is for putty.exe, rather than welcome.txt, and was detected by 47 engines on VT. I say "interestingly" because in some cases where hashes have been generated, they've been for the carrier file, not the ADS.
From the user's ActivitiesCache.db file, specifically the Activity table, I saw this entry in the ContentInfo column (the Executable column listed notepad.exe):
C:\Users\IEUser\Desktop\creepy\welcome.txt (file:Unmapped GUID: //C:/Users/IEUser/Desktop/creepy/welome.txt?VolumeId={20B25A2A-0000-0000-0000-100000000000}&ObjectId={0282E6B5-7F90-11E9-A75B-000C29C3F036}&KnownFolderId=ThisPCDesktopFolder&KnownFolderLength=23)
I added the bold text for a rather obvious misspelling that jumped out; however, there's nothing in the entry that specifically stands out as being associated with the ADSs.
I also took some other parsing steps that were not fruitful. For example, I parsed out all of the unallocated space from the NTUSER.DAT, and also merged the transaction logs into the hive, and re-ran several RegRipper plugins. Like I said, neither were fruitful, in this case.
I'm not sharing this because I disagree with Dr. Hadi's thesis...in fact, I completely agree with him. Too often, we may find ourselves focusing on just one artifact, and as Dr. Hadi pointed out, we can get caught off-guard by some variation of that artifact with which we weren't familiar. I've shared these articles, and the artifacts in them, in order to illustrate the value of using multiple data sources, and being able to find pivot points in your analysis.
I decided to take a further look at data sources on the system to see if there were other artifacts that would serve as pivot points in analysis. For example, I found that the AmCache.hve file contained the following entry:
c:\users\ieuser\desktop\creepy\welcome.txt:putty.exe
LastWrite: Sun May 26 08:41:35 2019
Hash: 2662d1bd840184ec61ddf920840ce28774078134
Interestingly, the hash maintained in the AmCache entry is for putty.exe, rather than welcome.txt, and was detected by 47 engines on VT. I say "interestingly" because in some cases where hashes have been generated, they've been for the carrier file, not the ADS.
From the user's ActivitiesCache.db file, specifically the Activity table, I saw this entry in the ContentInfo column (the Executable column listed notepad.exe):
C:\Users\IEUser\Desktop\creepy\welcome.txt (file:Unmapped GUID: //C:/Users/IEUser/Desktop/creepy/welome.txt?VolumeId={20B25A2A-0000-0000-0000-100000000000}&ObjectId={0282E6B5-7F90-11E9-A75B-000C29C3F036}&KnownFolderId=ThisPCDesktopFolder&KnownFolderLength=23)
I added the bold text for a rather obvious misspelling that jumped out; however, there's nothing in the entry that specifically stands out as being associated with the ADSs.
I also took some other parsing steps that were not fruitful. For example, I parsed out all of the unallocated space from the NTUSER.DAT, and also merged the transaction logs into the hive, and re-ran several RegRipper plugins. Like I said, neither were fruitful, in this case.
I'm not sharing this because I disagree with Dr. Hadi's thesis...in fact, I completely agree with him. Too often, we may find ourselves focusing on just one artifact, and as Dr. Hadi pointed out, we can get caught off-guard by some variation of that artifact with which we weren't familiar. I've shared these articles, and the artifacts in them, in order to illustrate the value of using multiple data sources, and being able to find pivot points in your analysis.
Tuesday, January 28, 2020
"Hidden" Prefetch File Analysis and Alternate Data Sources
One of the things I like to do is engage in DFIR analysis of CTF and challenge images, just to see what pops out and what new things I can learn. I did just that recently with Dr. Ali Hadi's challenge #4, described as "launching attacks from alternate data streams". Dr. Hadi also has a corresponding blog post where he digs a bit deeper into how this approach can "bypass normal forensic analysis". Actually, that last part of the title, about bypassing "normal forensic analysis", is what really got me interested in exploring the topic a bit further. Let's take a look...
I've been aware of and fascinated by NTFS alternate data streams (or "ADSs") for quite sometime; not just that they exist, but also how they can be and have been used. ADSs have always been pretty cool, and something of a novelty to me; while I know what they are and look for them during analysis, I don't often find them used for malicious purposes during DFIR engagements.
Dr. Hadi's blog post focuses primarily on the analysis of a single artifact, the application Prefetch files, which won't be available by default on Windows server systems. Also, you're not likely to find these files on workstation versions of Windows running on SSD drives. In the blog post, he uses several tools for parsing and deriving data from Prefetch files, but again the focus is on those files as the data source, when it comes to finding the use of ADSs.
While I don't want to think that is constitutes "normal forensic analysis", that may be the case. I like to use multiple data sources, in particular the MFT, Registry, and Windows Event Log when looking at data, and I prefer to correlate the data sources in a timeline format.
One of the first things I noticed when parsing the MFT is that the existence of the ADS jumps right out, as shown below:
Sun May 26 08:36:19 2019 Z
MFT_SI - ...B [16] C:\Users\IEUser\Desktop\creepy\LPT1.txt
MFT_FN - MACB [16] C:\Users\IEUser\Desktop\creepy\LPT1.txt
MFT_ADS - ...B [809984] C:\Users\IEUser\Desktop\creepy\LPT1.txt:putty.exe
Now, an ADS shares the time stamps of its "parent" file, and does not have time stamps of its own. It does, however, have its own size value, which is good. So, while the parser I used clearly identifies the ADS, the time listed may not correlate to the actual creation date of the ADS itself. In fact, the creation time ("...B") of the ADS may more closely correspond to the metadata modification ("..C.") time from the $STANDARD_INFORMATION attribute, depending upon the actual circumstances.
In this case, we have another data source available, the "bam" key from the System hive, as shown below:
Sun May 26 08:41:41 2019 Z
MFT_SI - MA.B [0] C:\Windows\Prefetch\WELCOME.TXT
BAM - \Device\HarddiskVolume1\Users\IEUser\Desktop\creepy\
welcome.txt:putty.exe (S-1-5-21-321011808-3761883066-353627080-1000)
MFT_ADS - MA.B [6462] C:\Windows\Prefetch\WELCOME.TXT:PUTTY.EXE-A6BB0639.pf
MFT_FN - MACB [0] C:\Windows\Prefetch\WELCOME.TXT
In addition, there were remnants found in other data sources, as well. For example, parsing the SRUDB.DAT database file, the following entries were located in the Application Resource Usage tab of the resulting XLSX file:
\Device\HarddiskVolume1\Users\IEUser\Desktop\creepy\LPT1.txt:putty.exe
\Device\HarddiskVolume1\Users\IEUser\Desktop\creepy\COM1.txt:revshell.exe
Further, the following entry was found in the Network Usage tab of the same XLSX file:
\device\harddiskvolume1\users\ieuser\desktop\creepy\com1.txt:revshell.exe
Finally, the following entries were located in the AppCompatCache data within the System Registry hive:
\\?\C:\Users\IEUser\Desktop\creepy\welcome2.txt:revshell.exe Sun May 26 08:33:33 2019 Z
\\?\C:\Users\IEUser\Desktop\creepy\COM1.txt:revshell.exe Sun May 26 08:37:34 2019 Z
\\?\C:\Users\IEUser\Desktop\creepy\LPT1.txt:putty.exe Sun May 26 08:37:19 2019 Z
\\?\C:\Users\IEUser\Desktop\creepy\welcome.txt:putty.exe Sun May 26 08:33:19 2019 Z
As you can see, there is no shortage of artifacts related to ADSs on a Windows system. The key take-away here for analysis is to not restrict your analysis to just a single artifact; instead, make a holistic approach your new "normal forensic analysis" process.
I want to thank Dr. Hadi for not only providing the image file, but for also putting together the blog post describing his findings with respect to the use of ADSs, and the application Prefetch file artifacts.
I've been aware of and fascinated by NTFS alternate data streams (or "ADSs") for quite sometime; not just that they exist, but also how they can be and have been used. ADSs have always been pretty cool, and something of a novelty to me; while I know what they are and look for them during analysis, I don't often find them used for malicious purposes during DFIR engagements.
Dr. Hadi's blog post focuses primarily on the analysis of a single artifact, the application Prefetch files, which won't be available by default on Windows server systems. Also, you're not likely to find these files on workstation versions of Windows running on SSD drives. In the blog post, he uses several tools for parsing and deriving data from Prefetch files, but again the focus is on those files as the data source, when it comes to finding the use of ADSs.
While I don't want to think that is constitutes "normal forensic analysis", that may be the case. I like to use multiple data sources, in particular the MFT, Registry, and Windows Event Log when looking at data, and I prefer to correlate the data sources in a timeline format.
One of the first things I noticed when parsing the MFT is that the existence of the ADS jumps right out, as shown below:
Sun May 26 08:36:19 2019 Z
MFT_SI - ...B [16] C:\Users\IEUser\Desktop\creepy\LPT1.txt
MFT_FN - MACB [16] C:\Users\IEUser\Desktop\creepy\LPT1.txt
MFT_ADS - ...B [809984] C:\Users\IEUser\Desktop\creepy\LPT1.txt:putty.exe
Now, an ADS shares the time stamps of its "parent" file, and does not have time stamps of its own. It does, however, have its own size value, which is good. So, while the parser I used clearly identifies the ADS, the time listed may not correlate to the actual creation date of the ADS itself. In fact, the creation time ("...B") of the ADS may more closely correspond to the metadata modification ("..C.") time from the $STANDARD_INFORMATION attribute, depending upon the actual circumstances.
In this case, we have another data source available, the "bam" key from the System hive, as shown below:
Sun May 26 08:41:41 2019 Z
MFT_SI - MA.B [0] C:\Windows\Prefetch\WELCOME.TXT
BAM - \Device\HarddiskVolume1\Users\IEUser\Desktop\creepy\
welcome.txt:putty.exe (S-1-5-21-321011808-3761883066-353627080-1000)
MFT_ADS - MA.B [6462] C:\Windows\Prefetch\WELCOME.TXT:PUTTY.EXE-A6BB0639.pf
MFT_FN - MACB [0] C:\Windows\Prefetch\WELCOME.TXT
In addition, there were remnants found in other data sources, as well. For example, parsing the SRUDB.DAT database file, the following entries were located in the Application Resource Usage tab of the resulting XLSX file:
\Device\HarddiskVolume1\Users\IEUser\Desktop\creepy\LPT1.txt:putty.exe
\Device\HarddiskVolume1\Users\IEUser\Desktop\creepy\COM1.txt:revshell.exe
Further, the following entry was found in the Network Usage tab of the same XLSX file:
\device\harddiskvolume1\users\ieuser\desktop\creepy\com1.txt:revshell.exe
Finally, the following entries were located in the AppCompatCache data within the System Registry hive:
\\?\C:\Users\IEUser\Desktop\creepy\welcome2.txt:revshell.exe Sun May 26 08:33:33 2019 Z
\\?\C:\Users\IEUser\Desktop\creepy\COM1.txt:revshell.exe Sun May 26 08:37:34 2019 Z
\\?\C:\Users\IEUser\Desktop\creepy\LPT1.txt:putty.exe Sun May 26 08:37:19 2019 Z
\\?\C:\Users\IEUser\Desktop\creepy\welcome.txt:putty.exe Sun May 26 08:33:19 2019 Z
As you can see, there is no shortage of artifacts related to ADSs on a Windows system. The key take-away here for analysis is to not restrict your analysis to just a single artifact; instead, make a holistic approach your new "normal forensic analysis" process.
I want to thank Dr. Hadi for not only providing the image file, but for also putting together the blog post describing his findings with respect to the use of ADSs, and the application Prefetch file artifacts.
Monday, January 27, 2020
Developing and Using Lessons Learned
From the very beginning of my time in DFIR, and even before then, I saw the value in having some form of "lessons learned" process.
By "even before then", I mean that while I was on active duty in the military, we had "lessons learned" events following major exercises that proved to be very valuable. After exercises such as Valiant Blitz '90 and Team Spirit '91, units involved (MACS-4, MATCS-18, MASS-2, LAAD-2, etc.) got together a did a "hot washup", which was a formalized lessons learned process. I was a communications officer, providing communications services to the "operators", as well as connecting them to other units. This sort of process is immensely valuable to military units, particularly given that I and others in my unit (my Gunnery Sgt, my CO, etc.) would likely not be with our unit for the next major event, due to rotations. This meant that lessons learned were preserved for others for future use.
Within DFIR work, things are very different. We often do not have the luxury of conducting a "lessons learned" process for most of our engagements, and because it's not part of our culture, when we do have the opportunity to do so, we don't do it well. Further, there needs to be much more to a process such as this than just knowledge sharing via the oral tradition (i.e., having a 'brown bag' lunch with someone giving a presentation), as this sort of passing along of 'corporate knowledge' is extremely transient. What this means is that if a lesson is indeed learned, a presentation may be provided, but two additional questions need to be addressed. First, are analysts held accountable for using the new knowledge, and second, how is this new information preserved such that it persists beyond the employment lifetime of the author?
I can't really address the first question, as I'm not a manager. I have my own thoughts as to how this is accomplished; specifically, managers have to remain knowledgeable themselves, and then engage with the analysts (even if through customer updates and reports) in a purposeful, intentional manner. Part of this includes purposeful, intentional reviews of the analysts' work (via customer updates, reports, etc.), but given that the business model used in most IR consulting organizations is one in which utilization is the primary metric, managers do not often have the time to engage in such a manner.
As to the second question, however, there are a number of ways that the corporate knowledge can be preserved, one being something as simple as a wiki. A corporate or team-based wiki can be a central repository, and it's particularly valuable if it's maintained, updated, curated and searchable.
Another way of preserving the corporate knowledge well beyond the lifetime of any individual analyst or manager is to bake findings back into the overall process, such as via the collection or pre-processing mechanism.
For example, several years ago, I was listening to a "lessons learned" call when the analyst speaking glossed over something seemingly unimportant (to them), and I got curious about it. As such, I accessed the data and found something extremely valuable...in this particular instance, the adversary had launched their remote access Trojan (RAT) via a Scheduled Task, rather than launching the RAT installer. Immediately thereafter, once the RAT was running, the adversary deleted the scheduled task. This was on a Windows 7 system, so deleting the scheduled task meant that both the XML and XP-style .job files were deleted, but the RAT was still running in memory. Approximately 72 hrs after the RAT was launched, an event record with event ID 709 was generated in the Task Scheduler Event Log. This event indicated that an error had occurred while attempting to update the backwards-compatible .job file...in this case, because that file no longer existed. Additional research indicated that this was known functionality within Windows...specifically, that the Task Scheduler service would attempt to update the job information after...you guessed it...72 hours.
It turned out that this was an extremely high fidelity indicator of the adversary's behavior. Rather than launching the RAT installer via the Scheduled Task (something that generally runs pretty quickly and is complete in a matter of seconds), the actor launched the RAT itself, something that was intended to be "long lived". There was speculation at that time as to whether the threat actor knew about the 72 hr time frame or not, and how 'sophisticated' they were. I simply reminded myself that this had not been self-detected by the customer and we were analyzing data months after the intrusion occurred.
As cool as the event record was, it was highly unlikely that I'd remember to look for something like that on an engagement 6, 8, or 12 months from then, so I added the indicator to my pre-processing methodology, and from that point on, that record was automatically tagged every time I parsed that Windows Event Log file. My pre-processing methodology includes documentation as to the nature and context of the event record, so I don't have to memorize anything. This also means that by sharing the methodology with others, every analyst can benefit from the experience of one, without having to have engaged in the analysis themselves (i.e., knowledge sharing).
Threat Hunting Process
Threat hunting is often described as pursuing a hypothesis, or finding a thread and pulling it. Even if nothing is found, something can be learned.
So how do you do this? Well, if you're in an FTE (full-time employment) internal position, start with understanding something about your infrastructure. For example, I know of one analyst who knew that their organization did NOT use native Windows tools (i.e., net.exe) to manage user accounts; as such, they found a thread (i.e., use of net.exe to create and manager user accounts), used that as the basis for hunting across telemetry collected from their environment...and found a bad guy. Start with, "this is how we do it", and "this is how the bad guy might do it", and pull that thread. Lather, rinse, repeat.
A great place to get these threads to pull is from social media, particularly sources (Twitter, LinkedIn) that point to write-ups shared by others. Very often, we might develop a hypothesis or "thread to pull" from something we find online, and from there, our hunt may turn up a system or two (or three) of interest. For example, not long I saw on Twitter that the Ryuk ransomware had new functionality that allowed it to send a "wake-on-LAN" packet to turn other systems on, so it could then be used to infect them. If your threat hunting capability allows you to detect UDP datagrams being sent to port 7, why not conduct a hunt to see if this has happened within your environment?
What threat hunting then leads us to is the systems which require closer attention, via either full image acquisition, or triage data collection. For example, during targeted threat response for 150,000 endpoints, we were able to reduce this "data ocean" to just the 8 systems the threat actor had engaged with, and then using triage data collection, reduced what we had to look at to a "data cup".
Developing Lessons Learned
In a manner similar to the threat hunting process, intrusion intelligence can be developed from DFIR engagements. I say "can be" because in my experience, this is something rarely done. When I started in DFIR, many of those I worked with came from either military or LE backgrounds, and one would think that a "lessons learned" session after an engagement would be just something that just happened, but as it turned out, it didn't. Not doing so became part of the culture.
What happens if you do a "lessons learned" session after engagements? At the very least, you get things like this, this, and eventually this. The common factor amongst all three of those examples is that they include data that is immediately usable to someone who reads them; they offer actionable intelligence that someone who did not experience one of those engagements can now take full advantage.
Data Sources
If you do DFIR work, the best data source for producing intrusion intelligence is your own DFIR data. If you have access to EDR telemetry, as well, then the data is even richer, because you can correlate the actions of the threat actor directly to the artifacts on systems.
If you're in an FTE position internal to a company, this is a great way to develop very detailed insight into internal operations within your own organization. If you're a consultant, this (DFIR + EDR) is THE best way to produce intrusion intelligence, hands down.
Another data source is to monitor social media (as well as specific blogs and other resources) and determine what you can use within your own environment. Use open source threat intel to develop your own hunting leads (for EDR and/or DFIR data), and then bake what you learn from those hunts back into your own process.
A good example of this is this MenaSec blog post; there's a good explanation of what was observed, as well as some great indicators (file names) provided that are generated by the operating system as a result of the activity of interest. As such, these indicators are not as easy to change, unlike IP addresses or file hashes.
Another good example is the SecureList description of Project TajMahal. One of the aspects of this write-up that caught my eye was the module that facilitates data theft by enabling the KeepPrintedJobs flag for printers on the system; this allows the adversary to collect data that is normally deleted as soon as the print job has been completed. This provides a great opportunity for high fidelity detections in both EDR and DFIR pre-processing.
Using Lessons Learned
Now that we have these items of interest, these indicators, what do we do with them? Well, that really depends on what you have available.
For example, are you using an EDR tool that can detect Registry operations (key creations, writes to values, etc.)? If so, create an EDR detection or filter that will tell you when the Attributes value for printers on a system has been modified. If you're doing DFIR work, add the appropriate check to your pre-processing methodology. It's pretty trivial to write a RegRipper plugin that will not only collect the Attributes value from each printer, but also check to see if the KeepPrintedJobs flag is set.
Lessons learned items can be implemented via a number of means, including (but not limited to):
- Yara Rules
- RegRipper plugins
- WEVTX eventmap,txt entry (here's a good one to add...)
- EDR detection rules
- snort rules
- Etc.
I call this as"baking" what we've learned back into our processes and methodologies. A great example of implementing something like this occurred several years ago when Nuix added two extensions to their Workstation product, one for Yara, and one for RegRipper. This allows anyone who adds these extensions (and the open source tools) to their analysis platform can now take full advantage of the collective experience of hundreds of analysts and investigators, without ever having to engaged in the same hundreds or thousands of investigations. An analyst who'd downloaded this Yara rule, for example, could now use it to scan images for all of the tools listed without ever having seen a single one of them. The same is true for web shells, PHP backdoors, etc.; acquired images can be automatically scanned for these items without the analyst having to have ever seen one.
To some extent, this is more of using the lessons learned by others to extend our analysis, but anything you learn yourself from this process could then be added right back into the environment. If someone wanted, they could also add an extension for processing Windows Event Log files and tagging specific events (by source and ID, or other criteria)
Extending Your Reach
Not everything we know needs to be the result of our own personal experiences. Jim Mattis stated in his book that "our own personal experiences are not enough to sustain us", and the same applies to DFIR. No one of us is as smart as all of us working together. If someone finds something and makes it public, it would behoove those of us impacted (even potentially so) by the finding to implement that finding in a manner that works for our environment and tooling.
Clearly, this goes back to the Data Sources section of this blog post, but that simply echos the fact that this is an iterative process. As you find or learn new things, you add them to collection and pre-processing methodology. As these new findings are tagged in subsequent engagements, analysis will raise new findings "near" our tagged items, allowing us to then extend our collection and pre-processing methodology further.
The same methodology can be applied to EDR, as well. Let's say you create a detection that alerts you when printer Attributes values are modified, and you receive such an alert. A review of EDR metadata "near" that alert may not give you the visibility you need, so you implement your forensic collection process and run the collected data through your pre-processing toolset.
By "even before then", I mean that while I was on active duty in the military, we had "lessons learned" events following major exercises that proved to be very valuable. After exercises such as Valiant Blitz '90 and Team Spirit '91, units involved (MACS-4, MATCS-18, MASS-2, LAAD-2, etc.) got together a did a "hot washup", which was a formalized lessons learned process. I was a communications officer, providing communications services to the "operators", as well as connecting them to other units. This sort of process is immensely valuable to military units, particularly given that I and others in my unit (my Gunnery Sgt, my CO, etc.) would likely not be with our unit for the next major event, due to rotations. This meant that lessons learned were preserved for others for future use.
Within DFIR work, things are very different. We often do not have the luxury of conducting a "lessons learned" process for most of our engagements, and because it's not part of our culture, when we do have the opportunity to do so, we don't do it well. Further, there needs to be much more to a process such as this than just knowledge sharing via the oral tradition (i.e., having a 'brown bag' lunch with someone giving a presentation), as this sort of passing along of 'corporate knowledge' is extremely transient. What this means is that if a lesson is indeed learned, a presentation may be provided, but two additional questions need to be addressed. First, are analysts held accountable for using the new knowledge, and second, how is this new information preserved such that it persists beyond the employment lifetime of the author?
I can't really address the first question, as I'm not a manager. I have my own thoughts as to how this is accomplished; specifically, managers have to remain knowledgeable themselves, and then engage with the analysts (even if through customer updates and reports) in a purposeful, intentional manner. Part of this includes purposeful, intentional reviews of the analysts' work (via customer updates, reports, etc.), but given that the business model used in most IR consulting organizations is one in which utilization is the primary metric, managers do not often have the time to engage in such a manner.
As to the second question, however, there are a number of ways that the corporate knowledge can be preserved, one being something as simple as a wiki. A corporate or team-based wiki can be a central repository, and it's particularly valuable if it's maintained, updated, curated and searchable.
Another way of preserving the corporate knowledge well beyond the lifetime of any individual analyst or manager is to bake findings back into the overall process, such as via the collection or pre-processing mechanism.
For example, several years ago, I was listening to a "lessons learned" call when the analyst speaking glossed over something seemingly unimportant (to them), and I got curious about it. As such, I accessed the data and found something extremely valuable...in this particular instance, the adversary had launched their remote access Trojan (RAT) via a Scheduled Task, rather than launching the RAT installer. Immediately thereafter, once the RAT was running, the adversary deleted the scheduled task. This was on a Windows 7 system, so deleting the scheduled task meant that both the XML and XP-style .job files were deleted, but the RAT was still running in memory. Approximately 72 hrs after the RAT was launched, an event record with event ID 709 was generated in the Task Scheduler Event Log. This event indicated that an error had occurred while attempting to update the backwards-compatible .job file...in this case, because that file no longer existed. Additional research indicated that this was known functionality within Windows...specifically, that the Task Scheduler service would attempt to update the job information after...you guessed it...72 hours.
It turned out that this was an extremely high fidelity indicator of the adversary's behavior. Rather than launching the RAT installer via the Scheduled Task (something that generally runs pretty quickly and is complete in a matter of seconds), the actor launched the RAT itself, something that was intended to be "long lived". There was speculation at that time as to whether the threat actor knew about the 72 hr time frame or not, and how 'sophisticated' they were. I simply reminded myself that this had not been self-detected by the customer and we were analyzing data months after the intrusion occurred.
As cool as the event record was, it was highly unlikely that I'd remember to look for something like that on an engagement 6, 8, or 12 months from then, so I added the indicator to my pre-processing methodology, and from that point on, that record was automatically tagged every time I parsed that Windows Event Log file. My pre-processing methodology includes documentation as to the nature and context of the event record, so I don't have to memorize anything. This also means that by sharing the methodology with others, every analyst can benefit from the experience of one, without having to have engaged in the analysis themselves (i.e., knowledge sharing).
Threat Hunting Process
Threat hunting is often described as pursuing a hypothesis, or finding a thread and pulling it. Even if nothing is found, something can be learned.
So how do you do this? Well, if you're in an FTE (full-time employment) internal position, start with understanding something about your infrastructure. For example, I know of one analyst who knew that their organization did NOT use native Windows tools (i.e., net.exe) to manage user accounts; as such, they found a thread (i.e., use of net.exe to create and manager user accounts), used that as the basis for hunting across telemetry collected from their environment...and found a bad guy. Start with, "this is how we do it", and "this is how the bad guy might do it", and pull that thread. Lather, rinse, repeat.
A great place to get these threads to pull is from social media, particularly sources (Twitter, LinkedIn) that point to write-ups shared by others. Very often, we might develop a hypothesis or "thread to pull" from something we find online, and from there, our hunt may turn up a system or two (or three) of interest. For example, not long I saw on Twitter that the Ryuk ransomware had new functionality that allowed it to send a "wake-on-LAN" packet to turn other systems on, so it could then be used to infect them. If your threat hunting capability allows you to detect UDP datagrams being sent to port 7, why not conduct a hunt to see if this has happened within your environment?
What threat hunting then leads us to is the systems which require closer attention, via either full image acquisition, or triage data collection. For example, during targeted threat response for 150,000 endpoints, we were able to reduce this "data ocean" to just the 8 systems the threat actor had engaged with, and then using triage data collection, reduced what we had to look at to a "data cup".
Developing Lessons Learned
In a manner similar to the threat hunting process, intrusion intelligence can be developed from DFIR engagements. I say "can be" because in my experience, this is something rarely done. When I started in DFIR, many of those I worked with came from either military or LE backgrounds, and one would think that a "lessons learned" session after an engagement would be just something that just happened, but as it turned out, it didn't. Not doing so became part of the culture.
What happens if you do a "lessons learned" session after engagements? At the very least, you get things like this, this, and eventually this. The common factor amongst all three of those examples is that they include data that is immediately usable to someone who reads them; they offer actionable intelligence that someone who did not experience one of those engagements can now take full advantage.
Data Sources
If you do DFIR work, the best data source for producing intrusion intelligence is your own DFIR data. If you have access to EDR telemetry, as well, then the data is even richer, because you can correlate the actions of the threat actor directly to the artifacts on systems.
If you're in an FTE position internal to a company, this is a great way to develop very detailed insight into internal operations within your own organization. If you're a consultant, this (DFIR + EDR) is THE best way to produce intrusion intelligence, hands down.
Another data source is to monitor social media (as well as specific blogs and other resources) and determine what you can use within your own environment. Use open source threat intel to develop your own hunting leads (for EDR and/or DFIR data), and then bake what you learn from those hunts back into your own process.
A good example of this is this MenaSec blog post; there's a good explanation of what was observed, as well as some great indicators (file names) provided that are generated by the operating system as a result of the activity of interest. As such, these indicators are not as easy to change, unlike IP addresses or file hashes.
Another good example is the SecureList description of Project TajMahal. One of the aspects of this write-up that caught my eye was the module that facilitates data theft by enabling the KeepPrintedJobs flag for printers on the system; this allows the adversary to collect data that is normally deleted as soon as the print job has been completed. This provides a great opportunity for high fidelity detections in both EDR and DFIR pre-processing.
Using Lessons Learned
Now that we have these items of interest, these indicators, what do we do with them? Well, that really depends on what you have available.
For example, are you using an EDR tool that can detect Registry operations (key creations, writes to values, etc.)? If so, create an EDR detection or filter that will tell you when the Attributes value for printers on a system has been modified. If you're doing DFIR work, add the appropriate check to your pre-processing methodology. It's pretty trivial to write a RegRipper plugin that will not only collect the Attributes value from each printer, but also check to see if the KeepPrintedJobs flag is set.
Lessons learned items can be implemented via a number of means, including (but not limited to):
- Yara Rules
- RegRipper plugins
- WEVTX eventmap,txt entry (here's a good one to add...)
- EDR detection rules
- snort rules
- Etc.
I call this as"baking" what we've learned back into our processes and methodologies. A great example of implementing something like this occurred several years ago when Nuix added two extensions to their Workstation product, one for Yara, and one for RegRipper. This allows anyone who adds these extensions (and the open source tools) to their analysis platform can now take full advantage of the collective experience of hundreds of analysts and investigators, without ever having to engaged in the same hundreds or thousands of investigations. An analyst who'd downloaded this Yara rule, for example, could now use it to scan images for all of the tools listed without ever having seen a single one of them. The same is true for web shells, PHP backdoors, etc.; acquired images can be automatically scanned for these items without the analyst having to have ever seen one.
To some extent, this is more of using the lessons learned by others to extend our analysis, but anything you learn yourself from this process could then be added right back into the environment. If someone wanted, they could also add an extension for processing Windows Event Log files and tagging specific events (by source and ID, or other criteria)
Extending Your Reach
Not everything we know needs to be the result of our own personal experiences. Jim Mattis stated in his book that "our own personal experiences are not enough to sustain us", and the same applies to DFIR. No one of us is as smart as all of us working together. If someone finds something and makes it public, it would behoove those of us impacted (even potentially so) by the finding to implement that finding in a manner that works for our environment and tooling.
Clearly, this goes back to the Data Sources section of this blog post, but that simply echos the fact that this is an iterative process. As you find or learn new things, you add them to collection and pre-processing methodology. As these new findings are tagged in subsequent engagements, analysis will raise new findings "near" our tagged items, allowing us to then extend our collection and pre-processing methodology further.
The same methodology can be applied to EDR, as well. Let's say you create a detection that alerts you when printer Attributes values are modified, and you receive such an alert. A review of EDR metadata "near" that alert may not give you the visibility you need, so you implement your forensic collection process and run the collected data through your pre-processing toolset.
Saturday, January 04, 2020
First RegRipper 2020 Update
'cogphn' recently reached to me via the RegRipper GitHub repo to let me know that they'd found an issue with a plugin, and this was followed by a similar issue posted by William Schaefer. It seems that as soon as the clocks rolled over to 2020, the function within the Parse::Win32Registry module that gets key LastWrite times and translates them from FILETIME to Unix epoch format broke, and started returning 0. I fixed the function, and recompiled the executable files for rip.exe and the RegRipper GUI (rr.exe), and uploaded copies of the files to GitHub.
If you're just using the Windows executables, all you should need to do at this point is simply download the updated EXE files and you'll be on your way. I've done some local testing and things seem to be back on track. If you do find that there are continued issues, please let me know.
If you're running RegRipper as its Perl variant, I've also uploaded the 'fixed' Base.pm file, and included instructions in the readme file regarding updating your local copy of the file.
Addenum, 10 Jan
This issue also impacted regtime.exe, so I went ahead and recompiled the EXE and uploaded it to the Github repo. The source code (Perl script) did not require any modifications, but if you are running the Perl script, be sure to get the new Base.pm file and replace the one in your Parse::Win32Registry install, if you haven't already.
If you're just using the Windows executables, all you should need to do at this point is simply download the updated EXE files and you'll be on your way. I've done some local testing and things seem to be back on track. If you do find that there are continued issues, please let me know.
If you're running RegRipper as its Perl variant, I've also uploaded the 'fixed' Base.pm file, and included instructions in the readme file regarding updating your local copy of the file.
Addenum, 10 Jan
This issue also impacted regtime.exe, so I went ahead and recompiled the EXE and uploaded it to the Github repo. The source code (Perl script) did not require any modifications, but if you are running the Perl script, be sure to get the new Base.pm file and replace the one in your Parse::Win32Registry install, if you haven't already.
Tuesday, December 31, 2019
Maintaining The KnowledgeBase
As 2019 closes, we move into not just a new year, but also a new decade. While, for the most part, this isn't entirely significant...after all, how different will you really be when you wake up on 2 Jan...times such as this offer an opportunity for reflection and for addressing those things what we may decide we need to change.
I blogged recently regarding Brett's thoughts on how to do about improving #DFIR skills, and to some extend, expanding on them from my own perspective. Then this morning, I was perusing one of the social media sites that I frequent, and came across a question regarding forensic analysis of "significant locations" on an iPhone 6. I really have no experience with smart phones or iOS, but I thought it would be interesting to take a quick look, so I did a Google search. The first result was an article that had been posted on the same social media site a year and a half ago.
I recently engaged with another analyst via social media, regarding recovering Registry hives from unallocated space. The analyst had specifically asked about FOSS tools, and in relatively short order, I found an 8 pg PDF document on the subject, written by Andrew Case. The document wasn't dated, but it did refer specifically to Windows XP, so that gave me some idea of the time frame as to when Andrew "put pen to paper", as it were. Interestingly, Andrew's paper made use of one of the FOSS tools the analyst asked about, so it worked out pretty well.
The industry is populated by the full spectrum of #DFIR folks, from those interested in the topic and enthusiasts, to folks for whom digital analysis work is part of their job but not an everyday thing, all the way through academics and highly dedicated professionals. There are those who don't "do" DFIR analysis all the time, and those whose primary role is to do nothing but digital analysis and research.
And there's always something new to learn, isn't there? There's always a question that needs to be answered, such as, "how do I recover an NTUSER.DAT hive from a deleted user profile?" I would go so far as to say that we all have questions such as these from time to time, and that some of us have the time to research these questions, and others don't. Some of us find applicable results pretty quickly, and some of us can spend a great deal of time searching for an answer, never finding anything that applies to what we're trying to accomplish. I know that's happened to me more times than I care to count.
The good news is that, in most cases, the information someone is seeking is out there. Someone knows it, and someone may have even written it down. The bad news is...the information is out there. If you don't have enough experience in the field or topic in question, you're likely going to have difficulty finding what you're looking for. I get it. For every time I run a Google search and the first half a dozen responses hit the nail squarely on the head, there are 5 or 6 searches where I've just not found anything of use...not because it doesn't exist but more likely due to my search terms.
Training can be expensive, and can require the attendee to be out of the office or off the bench for an extended period of time. And training my very often not cover those things for which we have questions. For example, throughout the past two decades, I've not only spoken publicly multiple times on the topic of Registry analysis, as well as written and conducted training courses (and even written books on the topic), but it never occurred to me that someone would want to recover the NTUSER.DAT hive from a deleted profile. And, even though I've asked multiple times over the years for feedback, even posing the question, "...what would you like to see covered/addressed?", not once has the topic of recovering deleted hives come up.
That is, until recently. Now, we have a need for "just in time training". The good news is that we have multiple resources available to us...Google, the Forensics Wiki, and Brett's DFIR Training site, to name a few. The down side is that even searching these sites in particular, you may not find what you're looking for.
So, for the coming year...nay, the coming decade...my request or "call to action" is for folks in the community to take more active steps in a couple of areas. First, develop purposeful, intentional relationships in the community. Go beyond following someone on social media, or clicking "Like" or "RT" to everything you see. Instead, connect with someone because you have a purposeful intention for doing so, and because you're aware of the value that you bring to the relationship. What this leads to is developing relationships based on trust, and subsequently, the sharing of tribal knowledge.
Second, actively take steps to maintain the knowledgebase. If you're looking for something, try the established repositories. If you can't find it there, but you do find an answer, and even if you end up building the answer yourself from bits and pieces, take active steps to ensure that what you found doesn't pass undocumented. I'll be the first to tell you that I haven't seen everything there is to see...I've never done a BEC investigation. There are a lot of ransomware infections I've never seen, nor investigated. My point is that we don't all see everything, but by sharing what we've experienced, we can ensure that more of us can benefit from each other's experiences. Jim Mattis, former Marine Corps warfighter and general officer, and former Secretary of Defense, stated in his recent book that our "own personal experiences are not broad enough to sustain [us]." This is 1000% true for warfighters, as well as for threat hunters, and forensic and intel analysts.
So, for the coming of the new year, resolve to take a more active role not just in learning new things, but adding to the knowledgebase of the community.
I blogged recently regarding Brett's thoughts on how to do about improving #DFIR skills, and to some extend, expanding on them from my own perspective. Then this morning, I was perusing one of the social media sites that I frequent, and came across a question regarding forensic analysis of "significant locations" on an iPhone 6. I really have no experience with smart phones or iOS, but I thought it would be interesting to take a quick look, so I did a Google search. The first result was an article that had been posted on the same social media site a year and a half ago.
I recently engaged with another analyst via social media, regarding recovering Registry hives from unallocated space. The analyst had specifically asked about FOSS tools, and in relatively short order, I found an 8 pg PDF document on the subject, written by Andrew Case. The document wasn't dated, but it did refer specifically to Windows XP, so that gave me some idea of the time frame as to when Andrew "put pen to paper", as it were. Interestingly, Andrew's paper made use of one of the FOSS tools the analyst asked about, so it worked out pretty well.
The industry is populated by the full spectrum of #DFIR folks, from those interested in the topic and enthusiasts, to folks for whom digital analysis work is part of their job but not an everyday thing, all the way through academics and highly dedicated professionals. There are those who don't "do" DFIR analysis all the time, and those whose primary role is to do nothing but digital analysis and research.
And there's always something new to learn, isn't there? There's always a question that needs to be answered, such as, "how do I recover an NTUSER.DAT hive from a deleted user profile?" I would go so far as to say that we all have questions such as these from time to time, and that some of us have the time to research these questions, and others don't. Some of us find applicable results pretty quickly, and some of us can spend a great deal of time searching for an answer, never finding anything that applies to what we're trying to accomplish. I know that's happened to me more times than I care to count.
The good news is that, in most cases, the information someone is seeking is out there. Someone knows it, and someone may have even written it down. The bad news is...the information is out there. If you don't have enough experience in the field or topic in question, you're likely going to have difficulty finding what you're looking for. I get it. For every time I run a Google search and the first half a dozen responses hit the nail squarely on the head, there are 5 or 6 searches where I've just not found anything of use...not because it doesn't exist but more likely due to my search terms.
Training can be expensive, and can require the attendee to be out of the office or off the bench for an extended period of time. And training my very often not cover those things for which we have questions. For example, throughout the past two decades, I've not only spoken publicly multiple times on the topic of Registry analysis, as well as written and conducted training courses (and even written books on the topic), but it never occurred to me that someone would want to recover the NTUSER.DAT hive from a deleted profile. And, even though I've asked multiple times over the years for feedback, even posing the question, "...what would you like to see covered/addressed?", not once has the topic of recovering deleted hives come up.
That is, until recently. Now, we have a need for "just in time training". The good news is that we have multiple resources available to us...Google, the Forensics Wiki, and Brett's DFIR Training site, to name a few. The down side is that even searching these sites in particular, you may not find what you're looking for.
So, for the coming year...nay, the coming decade...my request or "call to action" is for folks in the community to take more active steps in a couple of areas. First, develop purposeful, intentional relationships in the community. Go beyond following someone on social media, or clicking "Like" or "RT" to everything you see. Instead, connect with someone because you have a purposeful intention for doing so, and because you're aware of the value that you bring to the relationship. What this leads to is developing relationships based on trust, and subsequently, the sharing of tribal knowledge.
Second, actively take steps to maintain the knowledgebase. If you're looking for something, try the established repositories. If you can't find it there, but you do find an answer, and even if you end up building the answer yourself from bits and pieces, take active steps to ensure that what you found doesn't pass undocumented. I'll be the first to tell you that I haven't seen everything there is to see...I've never done a BEC investigation. There are a lot of ransomware infections I've never seen, nor investigated. My point is that we don't all see everything, but by sharing what we've experienced, we can ensure that more of us can benefit from each other's experiences. Jim Mattis, former Marine Corps warfighter and general officer, and former Secretary of Defense, stated in his recent book that our "own personal experiences are not broad enough to sustain [us]." This is 1000% true for warfighters, as well as for threat hunters, and forensic and intel analysts.
So, for the coming of the new year, resolve to take a more active role not just in learning new things, but adding to the knowledgebase of the community.
Sunday, December 29, 2019
LNK Toolmarks
Matt posted a blog article a while back, and I took interest in large part because it involved an LNK file. Matt provided a hash for the file in question, as well as a walk-through of his "peeling of the onion", as it were. However, one of the things that Matt pointed out that still needed to be done was toolmark analysis.
In his article, Matt says that LNK file, "...stitch together the world between the attacker and the victim." He's right. When an actor sends an LNK file to a target, particularly as an email attachment, they are sharing evidence of their development environment, which can be used to track threat actors and their campaigns. This is facilitated by the fact that LNK files not only contain a great deal of metadata from the actor's dev environment that act as "toolmarks", but also due to the fact that the absence of portions of that metadata can also be considered "toolmarks", as well.
The metadata extracted from the LNK file Matt discussed is illustrated below:
File: d:\cases\lnk\foto
guid {00021401-0000-0000-c000-000000000046}
mtime Sat Sep 15 07:28:38 2018 Z
atime Thu Sep 26 22:40:14 2019 Z
ctime Sat Sep 15 07:28:38 2018 Z
workingdir %CD%
basepath C:\Windows\System32\cmd.exe
shitemidlist My Computer/C:\/Windows/System32/cmd.exe
**Shell Items Details (times in UTC)**
C:2018-09-15 06:09:28 M:2019-09-23 17:18:10 A:2019-09-26 22:31:52 Windows (9) [526/1]
C:2018-09-15 06:09:28 M:2019-05-06 20:04:58 A:2019-09-26 22:02:08 System32 (9) [2246/1]
C:2018-09-15 07:28:40 M:2018-09-15 07:28:40 A:2019-09-26 22:38:36 cmd.exe (9)
vol_sn D4DA-5010
vol_type Fixed Disk
commandline /c start "" explorer "%cd%\Foto" | powershell -NonInteractive -noLogo -c "& {get-content %cd%\Foto.lnk | select -Last 1 > %appdata%\_.vbe}" && start "" wscript //B "%appdata%\_.vbe"
iconfilename C:\Windows\System32\shell32.dll
hotkey 0x0
showcmd 0x7
***LinkFlags***
HasLinkTargetIDList|IsUnicode|HasWorkingDir|HasExpIcon|HasLinkInfo|HasArguments|HasIconLocation|HasRelativePath
As you can see, we have a good bit of what we'd expect to see in an LNK file, but there are also elements clearly absent, items we'd expect to see that just aren't there. For example, there are no Extra Data Blocks (confirmed by visual inspection), and as such, no MAC address, no machine ID (or NetBIOS name), etc. These missing pieces can be viewed as toolmarks, and we've seen where code executed by an LNK file has been appended to the end of the LNK file itself.
While this particular LNK file is missing a good bit of what we would expect to see, based on the file format, there is still a good bit of information available that can be used to develop a better intel picture. For example, the volume serial number is intact, and that can be used in a VirusTotal retro-hunt to locate other, perhaps similar LNK files. This would then give some insight into how often this particular technique (and dev system) seem to be in use and in play, and if the VirusTotal page for each file found contains some information about the campaign, on which it was seen, that might also be helplful.
What something like this illustrates is the need for tying DFIR work much closer to CTI, and even EDR/MSS. Some organizations still have these functions as separate business units, and this is particularly true within consulting organizations. In such instances, CTI resources do not have the benefit of accessing DFIR information (and to some extent, vice versa), minimizing the view into incidents and campaigns. Having the ability to fully exploit DFIR data, such as LNK files, and incorporating that information into CTI reporting produces a much richer picture, as evidenced by this FireEye write-up regarding Cozy Bear.
In his article, Matt says that LNK file, "...stitch together the world between the attacker and the victim." He's right. When an actor sends an LNK file to a target, particularly as an email attachment, they are sharing evidence of their development environment, which can be used to track threat actors and their campaigns. This is facilitated by the fact that LNK files not only contain a great deal of metadata from the actor's dev environment that act as "toolmarks", but also due to the fact that the absence of portions of that metadata can also be considered "toolmarks", as well.
The metadata extracted from the LNK file Matt discussed is illustrated below:
File: d:\cases\lnk\foto
guid {00021401-0000-0000-c000-000000000046}
mtime Sat Sep 15 07:28:38 2018 Z
atime Thu Sep 26 22:40:14 2019 Z
ctime Sat Sep 15 07:28:38 2018 Z
workingdir %CD%
basepath C:\Windows\System32\cmd.exe
shitemidlist My Computer/C:\/Windows/System32/cmd.exe
**Shell Items Details (times in UTC)**
C:2018-09-15 06:09:28 M:2019-09-23 17:18:10 A:2019-09-26 22:31:52 Windows (9) [526/1]
C:2018-09-15 06:09:28 M:2019-05-06 20:04:58 A:2019-09-26 22:02:08 System32 (9) [2246/1]
C:2018-09-15 07:28:40 M:2018-09-15 07:28:40 A:2019-09-26 22:38:36 cmd.exe (9)
vol_sn D4DA-5010
vol_type Fixed Disk
commandline /c start "" explorer "%cd%\Foto" | powershell -NonInteractive -noLogo -c "& {get-content %cd%\Foto.lnk | select -Last 1 > %appdata%\_.vbe}" && start "" wscript //B "%appdata%\_.vbe"
iconfilename C:\Windows\System32\shell32.dll
hotkey 0x0
showcmd 0x7
***LinkFlags***
HasLinkTargetIDList|IsUnicode|HasWorkingDir|HasExpIcon|HasLinkInfo|HasArguments|HasIconLocation|HasRelativePath
As you can see, we have a good bit of what we'd expect to see in an LNK file, but there are also elements clearly absent, items we'd expect to see that just aren't there. For example, there are no Extra Data Blocks (confirmed by visual inspection), and as such, no MAC address, no machine ID (or NetBIOS name), etc. These missing pieces can be viewed as toolmarks, and we've seen where code executed by an LNK file has been appended to the end of the LNK file itself.
While this particular LNK file is missing a good bit of what we would expect to see, based on the file format, there is still a good bit of information available that can be used to develop a better intel picture. For example, the volume serial number is intact, and that can be used in a VirusTotal retro-hunt to locate other, perhaps similar LNK files. This would then give some insight into how often this particular technique (and dev system) seem to be in use and in play, and if the VirusTotal page for each file found contains some information about the campaign, on which it was seen, that might also be helplful.
What something like this illustrates is the need for tying DFIR work much closer to CTI, and even EDR/MSS. Some organizations still have these functions as separate business units, and this is particularly true within consulting organizations. In such instances, CTI resources do not have the benefit of accessing DFIR information (and to some extent, vice versa), minimizing the view into incidents and campaigns. Having the ability to fully exploit DFIR data, such as LNK files, and incorporating that information into CTI reporting produces a much richer picture, as evidenced by this FireEye write-up regarding Cozy Bear.
Saturday, December 28, 2019
Improving DFIR Skills
There are more than a few skills that make up the #DFIR "field", and just one of them is conducting DFIR analysis. Brett Shavers recently shared his thoughts on how to improve in this area, specifically by studying someone else's case work. In his article, Brett lists a number of different avenues for reviewing work conducted by others a means of improving your own skills.
Brett and I are both Marine veterans, and Marines have a long history of looking to the experience of others to expand, extend, and improve our own capabilities. In the case of war fighting, a great deal has been written, providing a wealth of information to dig into and study. Jim Mattis stated in his book, "Call Sign Chaos", that "...your personal experiences alone are not broad enough to sustain you." This is true not only for a Marine general, but also for a DFIR analyst. In fact, I would say even more so for an analyst.
Okay, so how do we apply this? One way is to follow Brett's advice, and seek out resources. There are numerous web sites available, and another resource is David Cowen's book, Computer Forensics InfoSec Pro Guide.
Another available resource is Investigating Windows Systems. What makes this book different from others that you might find is that when writing it, my goal was to demonstrate stitching together the analysis process, by explaining why certain decisions were made, and the data and thought processes led to various findings. Rather than simply presenting a finding, I wanted to illustrate the data that was laid out before me when I made each of the analysis decisions. As with all of my other books, I wrote IWS in large part due to the fact that I couldn't find any book (or other resource) that took this approach.
Another approach is participating in CTFs. However, if you don't feel confident in participating in the actual CTF itself, but still want to take a shot at the analysis and see how others went about answering the challenge questions, there are often options available. In 2018, DefCon had a forensic analysis CTF, and a bit after the conference, several (I found 3) folks posted their take on the challenges.
My "thing" with CTFs is that they very often aren't 'real world'. For example, in all of my time as an incident responder, I've never had someone ask me to identify a disk signature or volume serial number from an acquired image. Can I? Sure. But it's never been part of the analysis process, in providing services to a customer. As such, I posted something of my own take on a few of the questions (here, and here), so they're available for anyone to read, and because the images are available, anyone can walk through what I or the other folks did, following along using their own tools and their own analysis processes.
If you do decide to engage in developing your skills, one of the best ways to do so is when you have someone to help you get over the humps. I'll admit it...sometimes, I take time to research something and may come up with a solution that isn't at all elegant, and could perhaps be done better. Or maybe, due to the fact that I'm relying on my own experiences, I don't see or consider something that to someone else, is obvious. Having a mentor, someone you can go to with questions and bounce ideas off of can be very beneficial in both the long and short term.
Brett and I are both Marine veterans, and Marines have a long history of looking to the experience of others to expand, extend, and improve our own capabilities. In the case of war fighting, a great deal has been written, providing a wealth of information to dig into and study. Jim Mattis stated in his book, "Call Sign Chaos", that "...your personal experiences alone are not broad enough to sustain you." This is true not only for a Marine general, but also for a DFIR analyst. In fact, I would say even more so for an analyst.
Okay, so how do we apply this? One way is to follow Brett's advice, and seek out resources. There are numerous web sites available, and another resource is David Cowen's book, Computer Forensics InfoSec Pro Guide.
Another available resource is Investigating Windows Systems. What makes this book different from others that you might find is that when writing it, my goal was to demonstrate stitching together the analysis process, by explaining why certain decisions were made, and the data and thought processes led to various findings. Rather than simply presenting a finding, I wanted to illustrate the data that was laid out before me when I made each of the analysis decisions. As with all of my other books, I wrote IWS in large part due to the fact that I couldn't find any book (or other resource) that took this approach.
Another approach is participating in CTFs. However, if you don't feel confident in participating in the actual CTF itself, but still want to take a shot at the analysis and see how others went about answering the challenge questions, there are often options available. In 2018, DefCon had a forensic analysis CTF, and a bit after the conference, several (I found 3) folks posted their take on the challenges.
My "thing" with CTFs is that they very often aren't 'real world'. For example, in all of my time as an incident responder, I've never had someone ask me to identify a disk signature or volume serial number from an acquired image. Can I? Sure. But it's never been part of the analysis process, in providing services to a customer. As such, I posted something of my own take on a few of the questions (here, and here), so they're available for anyone to read, and because the images are available, anyone can walk through what I or the other folks did, following along using their own tools and their own analysis processes.
If you do decide to engage in developing your skills, one of the best ways to do so is when you have someone to help you get over the humps. I'll admit it...sometimes, I take time to research something and may come up with a solution that isn't at all elegant, and could perhaps be done better. Or maybe, due to the fact that I'm relying on my own experiences, I don't see or consider something that to someone else, is obvious. Having a mentor, someone you can go to with questions and bounce ideas off of can be very beneficial in both the long and short term.
Wednesday, December 25, 2019
What is "best"?
A lot of times I'll see a question in DFIR-related social media, along the lines of, "what is the best tool to do XI was recently searching online for a tire inflator. I live on a farm, and have a couple of tractors, a truck, and a horse trailer. I don't need a fully-functional air compressor, but I do need something portable and manageable for inflating tires, something both my wife and I can use not only around the farm, but also when we're on the road. As I began looking around at product reviews, I also started seeing those "best of" lists, where someone (marketing firm, editorial board, etc.) compiled a list of what they determined to be the "best" available of a particular product.
Understand that I have a pretty good idea of what I'm looking for, particularly with respect to features. I'm looking for something that can plug into the cigarette lighter in the truck or car, or to another power source, such as "house power" or a portable generator. I'm looking for something that can fill a tire to at least 100 psi (some tires go to 12 psi, others 90 psi), but I'm not super-concerned about the speed; my primary focus is ease of use, and durability. Being able to set the desired pressure and have it auto-stop would be very useful, but it's not a show-stopper.
Some of the inflators listed as "best" had to be connected directly to the vehicle battery. Yeah, I know...right? Not particularly convenient if my wife needs to add pressure to a tire, particularly when plugging into the cigarette lighter is much more convenient. I mean, really...how "convenient" is it to pull over to the side of the road, and have someone who hasn't used jumper cables to jump-start another vehicle connect an inflator to battery terminals? Some inflators not listed as "best" were considered to be "too expensive" (although no threshold for cost was provided as a basis for testing), and looking a bit more closely, those inflators allowed the user to connect to different power sources. Okay, so that sort of makes sense, but rather than say that the product is "too expensive", maybe list why. Another was described as "too heavy", although it weighed just 5 lbs (as opposed to the "best", which came in at just over 3 lbs).
Bringing this back to #DFIR, I ran across this article the other day, which reportedly provides a list of the "top 10 digital forensics consulting/services companies". A list of the companies is provided on the page, with a brief description of what each company does, but what really stood out for me is that the list is compiled by "a distinguished panel of prominent marketing specialists". This, of course, begs the question as to the criteria used to determine which companies were reviewed, and of those, which made the top 10.
In 2012, I attended a conference presentation where the speaker made comments about various tools, including RegRipper. One comment was, "RegRipper doesn't detect...", and that wasn't necessarily true. RegRipper was released in 2008 with the intention of being a community-driven tool. However, only a few have stepped up over the years to write and contribute plugins. RegRipper is capable of detecting a great deal (null bytes in key/value names, RLO char, etc.), and if your installation of RegRipper "doesn't detect" something, it's likely that (a) you haven't written the plugin, or (b) you haven't asked someone for help writing the plugin.
During that same presentation, the statement was made that "RegRipper does not scale to the enterprise". This is true. It is also true that it was never designed to do so. The use case for which RegRipper was written is still in active use today.
My point is simply this..."best" is relative. If you're asking the question (i.e., "..what is the best #DFIR tool to do X?"), then understand that, if you don't share your requirements, what you're going to get back is what's best for the respondent, if anything. No one wants to write an encyclopedia of all of the different approaches, and available tools. Although, I'm sure someone will be happy to link you to one. ;-)
When you're considering the best "tool", take a look at the process, and maybe consider the best approach. Sometimes it's not about the tool. Also, consider the what it is you're trying to accomplish (your goals), as well as other considerations, such as operating or file system, etc. If you're not comfortable with the command line, or would perhaps like to consider a GUI solution (because doing so makes for a good screen capture in a report), or if you require the use of a commercial (vs FOSS...some do) tool, be sure to take those details into consideration, and if you're asking a question online, share them, as well.
Tuesday, December 03, 2019
Artifact Clusters
Very often within the DFIR community, we see information shared (usually via blog posts) regarding a "new" artifact that has been recently unearthed, or simply being addressed for the first time. In some cases, the artifact is new to us, and in others, it may be the result of some new feature added to the Windows operating system or to an application. Sometimes when we see this new artifact discussed, a tool is shared to parse and make sense of the data afforded by that artifact. In some cases, we may find that multiple tools are available for parsing the same artifact, which is great, because it shows interest and diversity in the approach to accessing and making use of the data.
However, what we don't often see is how that artifact relates to other artifacts from the same system. Another way to look at it is, we don't often see how the tool, or more importantly, the data available in the source, can serve us to further an investigation. We may be left thinking, "Great, there's this data source, and a tool that allows me to extract and make some sense of the data within it, but how do I use it as part of an investigation?"
I shared an initial example of what this might look like recently in a recent blog post, and this was also the approach I took when I wrote about the investigations in Investigating Windows Systems. I hadn't seen any books available that covered the topic of digital forensic analysis (as opposed to just parsing data) from an investigation-wide perspective, completing an investigation using multiple artifacts to "tell the story". The idea was (and still is) that a single artifact, or a single entry derived from a data source, does NOT tell the whole story of the investigation. A single artifact may be a high fidelity indicator that provides a starting point for an investigation, but it does not tell the whole story. Rather than a single artifact, analysts should be looking at artifact clusters to provide the necessary context for an analyst to make a finding as to what happened.
Artifact clusters provide two things to the investigator; validation and context. Artifact clusters provide validation by reinforcing that an event occurred, or that the user took some action. That validation may be a duplicate event; in my previous blog post, we see the following events in our timeline:
Wed Nov 20 20:09:28 2019 Z
TIMELINE - Start Time:Program Files x86\Microsoft Office\Office14\WINWORD.EXE
REG - [Program Execution] UserAssist - {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office14\WINWORD.EXE (5)
What we see here (above) are duplicate events that provide validation. We see via the UserAssist data that the user launched WinWord.exe, and we also see validation from the user's Activity Timeline database. Not only do we have validation, but we can also see what the artifact cluster should look like, and as such, have an understanding of what to look for in the face of anti-forensics efforts, be they intentional or the result of natural evidence decay.
In other instances, validation may come in the form of supporting events. For example, again from my previous blog post, we see the following two events side-by-side in the timeline:
Wed Nov 20 22:50:02 2019 Z
REG - RegEdit LastKey value -> Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\TaskFlow
TIMELINE - End Time:Windows\regedit.exe
In this example, we see that the user closed the Registry Editor, and that the user's LastKey value was set, illustrating the key that was in focus when the Registry Editor was closed. Rather than being duplicate events, these two events support each other.
Looking at different event sources during the same time period also helps us see the context of the events, as we get a better view of the overall artifact cluster. For example, consider the above timeline entries that pertain to the Registry Editor. With just the data from the Registry, we can see when the Registry Editor was closed, and the key that was in focus when it was closed. But that's about all we know.
However, if we add some more of the events from the overall artifact cluster, we can see not just when, but how the Registry Editor was opened, as illustrated below:
Wed Nov 20 22:49:11 2019 Z
TIMELINE - Start Time:Windows\regedit.exe
Wed Nov 20 22:49:07 2019 Z
REG - [Program Execution] UserAssist - {F38BF404-1D43-42F2-9305-67DE0B28FC23}\regedit.exe (1)
REG - [Program Execution] UserAssist - {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\Registry Editor.lnk (1)
From a more complete artifact cluster, we can see that the user had the Registry Editor open for approximately 51 seconds. Information such as this can provide a great deal of context to an investigation.
Evidence Oxidation
Artifact clusters give us a view into the data in the face of anti-forensics, either as dedicated, intentional, targeted efforts to remove artifacts, or as natural evidence decay or oxidation.
Wait...what? "Evidence oxidation"? What is that? I shared some DFIR thoughts on Twitter not long ago on this topic, and in short, what this refers to is the natural disappearance of items from artifact clusters due to the passage of time, as some of those artifacts are removed or overwritten as the system continues to function. This is markedly different from the purposeful removal of artifacts, such as Registry keys being specifically and intentionally modified or deleted.
This idea of "evidence decay" or "evidence oxidation" begins with the Order of Volatility, which lists different artifacts based on their "lifetime"; that is to say that different artifacts age out or expire at different rates. For example, a process executed in memory will complete (often with seconds, or sooner) and the memory used by that process will be freed for use by another process in fairly short order. That process may result in the operating system or application generating an entry into a log file, which itself may roll over or be overwritten at various rates (i.e., the entry itself is overwritten as newer entries are added), depending upon the logging mechanism. Or, a file may be created within the file system that exists until someone...a person...purposefully deletes it. Even then, the contents of the file may exist (NTFS resident file, etc.) for a time after the file is marked as "not in use", something that may be dependent upon the file system in use, the level of activity on the system, whether a backup mechanism (backup, Volume Shadow Copy, etc.) occurred between the file creation and deletion times, etc.
In short, some artifacts may have the life span of a snowflake, or a fruit fly, or a tortoise. The life span of an artifact can depend upon a great deal; the operating system (and version) employed, the file system structure, the auditing infrastructure, the volume of usage of the system, etc. Consider this...I was once looking at a USN Change Journal from an image acquired from a Windows 7 system, and the time span of the available data was maybe a day and a half. Right around that time, a friend of mine contacted me about a Windows 2003 system he was examining, for which the USN Change Journal contained 90 days worth of data.
Windows systems can be very active, even when they appear to be sitting idle with no one actively typing at the keyboard. The operating system itself may reach out for updates, during which files are downloaded, processes are executed, and files are deleted. The same is true for a number of applications. Once a user becomes active on the system, the volume of activity and changes may increase dramatically. I use several applications (Notepad++, UltraEdit, VirtualBox, etc.) that all reach out to the Internet to look for updates when they're launched. Just surfing the web causes browser history to be generated and cached.
However, what we don't often see is how that artifact relates to other artifacts from the same system. Another way to look at it is, we don't often see how the tool, or more importantly, the data available in the source, can serve us to further an investigation. We may be left thinking, "Great, there's this data source, and a tool that allows me to extract and make some sense of the data within it, but how do I use it as part of an investigation?"
I shared an initial example of what this might look like recently in a recent blog post, and this was also the approach I took when I wrote about the investigations in Investigating Windows Systems. I hadn't seen any books available that covered the topic of digital forensic analysis (as opposed to just parsing data) from an investigation-wide perspective, completing an investigation using multiple artifacts to "tell the story". The idea was (and still is) that a single artifact, or a single entry derived from a data source, does NOT tell the whole story of the investigation. A single artifact may be a high fidelity indicator that provides a starting point for an investigation, but it does not tell the whole story. Rather than a single artifact, analysts should be looking at artifact clusters to provide the necessary context for an analyst to make a finding as to what happened.
Artifact clusters provide two things to the investigator; validation and context. Artifact clusters provide validation by reinforcing that an event occurred, or that the user took some action. That validation may be a duplicate event; in my previous blog post, we see the following events in our timeline:
Wed Nov 20 20:09:28 2019 Z
TIMELINE - Start Time:Program Files x86\Microsoft Office\Office14\WINWORD.EXE
REG - [Program Execution] UserAssist - {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office14\WINWORD.EXE (5)
What we see here (above) are duplicate events that provide validation. We see via the UserAssist data that the user launched WinWord.exe, and we also see validation from the user's Activity Timeline database. Not only do we have validation, but we can also see what the artifact cluster should look like, and as such, have an understanding of what to look for in the face of anti-forensics efforts, be they intentional or the result of natural evidence decay.
In other instances, validation may come in the form of supporting events. For example, again from my previous blog post, we see the following two events side-by-side in the timeline:
Wed Nov 20 22:50:02 2019 Z
REG - RegEdit LastKey value -> Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\TaskFlow
TIMELINE - End Time:Windows\regedit.exe
In this example, we see that the user closed the Registry Editor, and that the user's LastKey value was set, illustrating the key that was in focus when the Registry Editor was closed. Rather than being duplicate events, these two events support each other.
Looking at different event sources during the same time period also helps us see the context of the events, as we get a better view of the overall artifact cluster. For example, consider the above timeline entries that pertain to the Registry Editor. With just the data from the Registry, we can see when the Registry Editor was closed, and the key that was in focus when it was closed. But that's about all we know.
However, if we add some more of the events from the overall artifact cluster, we can see not just when, but how the Registry Editor was opened, as illustrated below:
Wed Nov 20 22:49:11 2019 Z
TIMELINE - Start Time:Windows\regedit.exe
Wed Nov 20 22:49:07 2019 Z
REG - [Program Execution] UserAssist - {F38BF404-1D43-42F2-9305-67DE0B28FC23}\regedit.exe (1)
REG - [Program Execution] UserAssist - {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\Registry Editor.lnk (1)
From a more complete artifact cluster, we can see that the user had the Registry Editor open for approximately 51 seconds. Information such as this can provide a great deal of context to an investigation.
Evidence Oxidation
Artifact clusters give us a view into the data in the face of anti-forensics, either as dedicated, intentional, targeted efforts to remove artifacts, or as natural evidence decay or oxidation.
Wait...what? "Evidence oxidation"? What is that? I shared some DFIR thoughts on Twitter not long ago on this topic, and in short, what this refers to is the natural disappearance of items from artifact clusters due to the passage of time, as some of those artifacts are removed or overwritten as the system continues to function. This is markedly different from the purposeful removal of artifacts, such as Registry keys being specifically and intentionally modified or deleted.
This idea of "evidence decay" or "evidence oxidation" begins with the Order of Volatility, which lists different artifacts based on their "lifetime"; that is to say that different artifacts age out or expire at different rates. For example, a process executed in memory will complete (often with seconds, or sooner) and the memory used by that process will be freed for use by another process in fairly short order. That process may result in the operating system or application generating an entry into a log file, which itself may roll over or be overwritten at various rates (i.e., the entry itself is overwritten as newer entries are added), depending upon the logging mechanism. Or, a file may be created within the file system that exists until someone...a person...purposefully deletes it. Even then, the contents of the file may exist (NTFS resident file, etc.) for a time after the file is marked as "not in use", something that may be dependent upon the file system in use, the level of activity on the system, whether a backup mechanism (backup, Volume Shadow Copy, etc.) occurred between the file creation and deletion times, etc.
In short, some artifacts may have the life span of a snowflake, or a fruit fly, or a tortoise. The life span of an artifact can depend upon a great deal; the operating system (and version) employed, the file system structure, the auditing infrastructure, the volume of usage of the system, etc. Consider this...I was once looking at a USN Change Journal from an image acquired from a Windows 7 system, and the time span of the available data was maybe a day and a half. Right around that time, a friend of mine contacted me about a Windows 2003 system he was examining, for which the USN Change Journal contained 90 days worth of data.
Windows systems can be very active, even when they appear to be sitting idle with no one actively typing at the keyboard. The operating system itself may reach out for updates, during which files are downloaded, processes are executed, and files are deleted. The same is true for a number of applications. Once a user becomes active on the system, the volume of activity and changes may increase dramatically. I use several applications (Notepad++, UltraEdit, VirtualBox, etc.) that all reach out to the Internet to look for updates when they're launched. Just surfing the web causes browser history to be generated and cached.
Thursday, November 28, 2019
ActivitesCache.db vs NTUSER.DAT
I recently had an opportunity to work with the data available in the Windows 10 Activity Timeline, or ActivitiesCache.db file. I'd seen a number of descriptions of the file contents, as well as descriptions of tools, but few of these are from the perspective of a DFIR analyst/responder, and none that I could find provided a view of how the data from the database stands up alongside other data sources an analyst might examine.
First, I grabbed a copy of my own ActivitiesCache.db file:
esentutil /y /vss\ActivitiesCache.db /d ActivitiesCache.db
Then I grabbed a copy of my NTUSER.DAT hive:
reg save HKCU NTUSER.DAT
I used Eric Zimmerman's WxTCmd tool to parse the database; from the output, I got two CSV files (as described in Eric's blog post for the tool), one for the Activity table. I then wrote a Perl script to translate elements of the Activity table into the 5-field TLN timeline format that I use for analysis. This way, I was able to do something of a side-by-side comparison of data from the NTUSER.DAT hive with the contents of the ActivitiesCache.db database. Specifically, I created a timeline using the TLN variants of the UserAssist, RecentDocs, Applets, MSOffice and RecentApps RegRipper plugins, and then added the Activity table data to the events file before parsing it into a timeline.
What I found was pretty interesting.
For one, the data from the Activities table illustrated some interesting activity. For example, here's what the data looks like for when I opened a PDF document from my desktop:
Wed Nov 20 23:04:15 2019 Z
TIMELINE - End Time:Program Files x86\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wed Nov 20 23:04:14 2019 Z
TIMELINE - End Time:C:\Users\harlan\Desktop\WRR.exe
Wed Nov 20 23:00:51 2019 Z
TIMELINE - Start Time:C:\Users\harlan\Desktop\WRR.exe
Wed Nov 20 22:58:07 2019 Z
TIMELINE - Start Time:Program Files x86\Adobe\Reader 11.0\Reader\AcroRd32.exe C:\Users\harlan\Desktop\A_Forensic_Audit_of_the_Tor_Browser_Bundle4.pdf
TIMELINE - Start Time:Program Files x86\Adobe\Reader 11.0\Reader\AcroRd32.exe
I was doing some research into a particular Registry value, and a search had revealed a hit within the PDF. I opened the PDF, and while it was open, also opened the MiTeC Windows Registry Recovery (WRR.exe) tool.
Another interesting finding is illustrated below:
Wed Nov 20 22:50:02 2019 Z
REG - RegEdit LastKey value -> Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\TaskFlow
TIMELINE - End Time:Windows\regedit.exe
Wed Nov 20 22:49:11 2019 Z
TIMELINE - Start Time:Windows\regedit.exe
Wed Nov 20 22:49:07 2019 Z
REG - [Program Execution] UserAssist - {F38BF404-1D43-42F2-9305-67DE0B28FC23}\regedit.exe (1)
REG - [Program Execution] UserAssist - {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\Registry Editor.lnk (1)
I opened RegEdit, navigated to a specific key, and that key was in focus when I closed RegEdit. With respect to the LastKey value, we're aware that's the context of the data...the key that was in focus with RegEdit was closed. What this clearly illustrates is "humanness"...human-based actions occurring and being recorded in these data sources. We can see from the UserAssist data how RegEdit was opened, we can see how long it was open (in this case, ~50 sec or so), and which key was in focus when it was closed. Looked at together, these artifacts provide a clear illustration of human activity.
Here's another example of what correlating the two data sources can look like:
Wed Nov 20 21:11:29 2019 Z
TIMELINE - End Time:C:\Users\harlan\Desktop\WRR.exe
Wed Nov 20 21:10:01 2019 Z
REG - RecentDocs - Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - local
REG - RecentDocs - Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.dat - NTUSER.DAT
REG - RecentDocs - Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder - local
Wed Nov 20 21:09:45 2019 Z
TIMELINE - Start Time:C:\Users\harlan\Desktop\WRR.exe
REG - [Program Execution] UserAssist - C:\Users\harlan\Desktop\WRR.exe (1)
In this particular case, I'd opened WRR and loaded an NTUSER.DAT file from a folder called "local".
Here's an example of how correlating the two data sources can provide additional insight and context into accessing files:
Wed Nov 20 20:20:56 2019 Z
REG - RecentDocs - Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.doc - Armor of God.doc
TIMELINE - End Time:Program Files x86\Microsoft Office\Office14\WINWORD.EXE
Wed Nov 20 20:09:29 2019 Z
REG - Word File MRU - C:\Users\harlan\Desktop\Armor of God.doc
REG - Word Place MRU - C:\Users\harlan\Desktop\
Wed Nov 20 20:09:28 2019 Z
TIMELINE - Start Time:Program Files x86\Microsoft Office\Office14\WINWORD.EXE
REG - [Program Execution] UserAssist - {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office14\WINWORD.EXE (5)
In this particular case, I was preparing for Bible study and had a Word document open. The data from the Activity Timeline database showed that MSWord had been opened, but it took data from the NTUSER.DAT hive (RecentDocs and MSOffice plugins) to provide information about which file had been opened. In this case, the data illustrates that I'd had the file open approximately 11 minutes.
I could go on with the examples but suffice to say that the ActivitiesCache.db data provides context and validation to data from other sources; in this case, from data from the NTUSER.DAT hive associated with user activity. Adding additional data from other sources, such as Automatic JumpLists would not only provide additional context, but would be extremely valuable in the face of anti-forensics efforts. Getting a good view of what constitutes artifact clusters will also help us seen when elements from those clusters are missing, potentially through deletion efforts.
Further, the correlation of multiple data sources gives us a better view not only of artifact clusters, but also of past activities. As I went through the timeline data, I was references to files and applications that no longer existed on my system. I also saw references to files on external data sources (F:\, G:\, etc.), as well.
Something else I found as a result of this exercise was that the first entry in the database table appears to be dated 20 Jun 2019. Based solely on the data available, it would appear that an update was applied, as I'm also seeing all of the LastWrite times for RecentDocs subkeys set to the same time shortly before the first entry in the database. A quick query via WMIC reveals that a security update was installed on that day, for KB4498523. The finding is reminiscent of what Jason Hale discussed in his blog post regarding shellbags and a Win10 feature update.
Going Deeper
A while back, Mari had written a tool to parse deleted entries from a SQLite database, so I thought I'd give it a shot. I downloaded the CLI version of the tool, and after running it, got a TSV file that I opened up in Excel. There were a total of 630 rows, not all of which seemed to have much data, let alone much data of value. However, many of the rows contained what looked like extensive JSON-formatted data. A number of these contained references to files I'd opened in Notepad++, including the full path to the file, as well as the following:
{"gdprType":"ProductAndServiceUsage","clipboardDataId":"
So, much like other data sources, it appears that deleted items from this database file can provide additional insight and context, as well.
Additional Resources:
GroupIB writeup
Salt4n6 writeup
CCLGroup LTD writeup
Journal of Forensic Science paper
Medium.com article - lists descriptive resources, and tools, including Mark McKinnon's Autopsy plugin
PureInfoTech article - disabling the Timeline Activity feature (be sure to look for this being used for anti-forensics, or check the value if you're not finding the ActivitiesCache.db file)
Tools:
kacos2000 - WindowsTimeline
forensicMatt - ActivitiesCacheParser
Eric Z's Tools site
TZWorks - Timeline ActivitiesCache parser
Mari's SQLParser tools
First, I grabbed a copy of my own ActivitiesCache.db file:
esentutil /y /vss
Then I grabbed a copy of my NTUSER.DAT hive:
reg save HKCU NTUSER.DAT
I used Eric Zimmerman's WxTCmd tool to parse the database; from the output, I got two CSV files (as described in Eric's blog post for the tool), one for the Activity table. I then wrote a Perl script to translate elements of the Activity table into the 5-field TLN timeline format that I use for analysis. This way, I was able to do something of a side-by-side comparison of data from the NTUSER.DAT hive with the contents of the ActivitiesCache.db database. Specifically, I created a timeline using the TLN variants of the UserAssist, RecentDocs, Applets, MSOffice and RecentApps RegRipper plugins, and then added the Activity table data to the events file before parsing it into a timeline.
What I found was pretty interesting.
For one, the data from the Activities table illustrated some interesting activity. For example, here's what the data looks like for when I opened a PDF document from my desktop:
Wed Nov 20 23:04:15 2019 Z
TIMELINE - End Time:Program Files x86\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wed Nov 20 23:04:14 2019 Z
TIMELINE - End Time:C:\Users\harlan\Desktop\WRR.exe
Wed Nov 20 23:00:51 2019 Z
TIMELINE - Start Time:C:\Users\harlan\Desktop\WRR.exe
Wed Nov 20 22:58:07 2019 Z
TIMELINE - Start Time:Program Files x86\Adobe\Reader 11.0\Reader\AcroRd32.exe C:\Users\harlan\Desktop\A_Forensic_Audit_of_the_Tor_Browser_Bundle4.pdf
TIMELINE - Start Time:Program Files x86\Adobe\Reader 11.0\Reader\AcroRd32.exe
I was doing some research into a particular Registry value, and a search had revealed a hit within the PDF. I opened the PDF, and while it was open, also opened the MiTeC Windows Registry Recovery (WRR.exe) tool.
Another interesting finding is illustrated below:
Wed Nov 20 22:50:02 2019 Z
REG - RegEdit LastKey value -> Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\TaskFlow
TIMELINE - End Time:Windows\regedit.exe
Wed Nov 20 22:49:11 2019 Z
TIMELINE - Start Time:Windows\regedit.exe
Wed Nov 20 22:49:07 2019 Z
REG - [Program Execution] UserAssist - {F38BF404-1D43-42F2-9305-67DE0B28FC23}\regedit.exe (1)
REG - [Program Execution] UserAssist - {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\Registry Editor.lnk (1)
I opened RegEdit, navigated to a specific key, and that key was in focus when I closed RegEdit. With respect to the LastKey value, we're aware that's the context of the data...the key that was in focus with RegEdit was closed. What this clearly illustrates is "humanness"...human-based actions occurring and being recorded in these data sources. We can see from the UserAssist data how RegEdit was opened, we can see how long it was open (in this case, ~50 sec or so), and which key was in focus when it was closed. Looked at together, these artifacts provide a clear illustration of human activity.
Here's another example of what correlating the two data sources can look like:
Wed Nov 20 21:11:29 2019 Z
TIMELINE - End Time:C:\Users\harlan\Desktop\WRR.exe
Wed Nov 20 21:10:01 2019 Z
REG - RecentDocs - Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - local
REG - RecentDocs - Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.dat - NTUSER.DAT
REG - RecentDocs - Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder - local
Wed Nov 20 21:09:45 2019 Z
TIMELINE - Start Time:C:\Users\harlan\Desktop\WRR.exe
REG - [Program Execution] UserAssist - C:\Users\harlan\Desktop\WRR.exe (1)
In this particular case, I'd opened WRR and loaded an NTUSER.DAT file from a folder called "local".
Here's an example of how correlating the two data sources can provide additional insight and context into accessing files:
Wed Nov 20 20:20:56 2019 Z
REG - RecentDocs - Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.doc - Armor of God.doc
TIMELINE - End Time:Program Files x86\Microsoft Office\Office14\WINWORD.EXE
Wed Nov 20 20:09:29 2019 Z
REG - Word File MRU - C:\Users\harlan\Desktop\Armor of God.doc
REG - Word Place MRU - C:\Users\harlan\Desktop\
Wed Nov 20 20:09:28 2019 Z
TIMELINE - Start Time:Program Files x86\Microsoft Office\Office14\WINWORD.EXE
REG - [Program Execution] UserAssist - {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office14\WINWORD.EXE (5)
In this particular case, I was preparing for Bible study and had a Word document open. The data from the Activity Timeline database showed that MSWord had been opened, but it took data from the NTUSER.DAT hive (RecentDocs and MSOffice plugins) to provide information about which file had been opened. In this case, the data illustrates that I'd had the file open approximately 11 minutes.
I could go on with the examples but suffice to say that the ActivitiesCache.db data provides context and validation to data from other sources; in this case, from data from the NTUSER.DAT hive associated with user activity. Adding additional data from other sources, such as Automatic JumpLists would not only provide additional context, but would be extremely valuable in the face of anti-forensics efforts. Getting a good view of what constitutes artifact clusters will also help us seen when elements from those clusters are missing, potentially through deletion efforts.
Further, the correlation of multiple data sources gives us a better view not only of artifact clusters, but also of past activities. As I went through the timeline data, I was references to files and applications that no longer existed on my system. I also saw references to files on external data sources (F:\, G:\, etc.), as well.
Something else I found as a result of this exercise was that the first entry in the database table appears to be dated 20 Jun 2019. Based solely on the data available, it would appear that an update was applied, as I'm also seeing all of the LastWrite times for RecentDocs subkeys set to the same time shortly before the first entry in the database. A quick query via WMIC reveals that a security update was installed on that day, for KB4498523. The finding is reminiscent of what Jason Hale discussed in his blog post regarding shellbags and a Win10 feature update.
Going Deeper
A while back, Mari had written a tool to parse deleted entries from a SQLite database, so I thought I'd give it a shot. I downloaded the CLI version of the tool, and after running it, got a TSV file that I opened up in Excel. There were a total of 630 rows, not all of which seemed to have much data, let alone much data of value. However, many of the rows contained what looked like extensive JSON-formatted data. A number of these contained references to files I'd opened in Notepad++, including the full path to the file, as well as the following:
{"gdprType":"ProductAndServiceUsage","clipboardDataId":"
So, much like other data sources, it appears that deleted items from this database file can provide additional insight and context, as well.
Additional Resources:
GroupIB writeup
Salt4n6 writeup
CCLGroup LTD writeup
Journal of Forensic Science paper
Medium.com article - lists descriptive resources, and tools, including Mark McKinnon's Autopsy plugin
PureInfoTech article - disabling the Timeline Activity feature (be sure to look for this being used for anti-forensics, or check the value if you're not finding the ActivitiesCache.db file)
Tools:
kacos2000 - WindowsTimeline
forensicMatt - ActivitiesCacheParser
Eric Z's Tools site
TZWorks - Timeline ActivitiesCache parser
Mari's SQLParser tools
Saturday, November 02, 2019
More Regarding LNK Files
My recent post regarding LNK files got me thinking about other uses of LNK files. That previous post really illustrated how some analysts are following Jesse Kornblum's adage of "using every part of the buffalo", in that they made use of everything (or as close to it as they could) they had available in order to develop a #threatintel picture.
This got me to thinking...taking a step back, how else can LNK files be used?
DFIR Analysis
Some DFIR analysts are aware of the fact that when analyzing Windows systems, you're going to find Windows shortcut/LNK files in a number of locations. For example, there're the user's desktop, the user's Recent folder, etc. In addition, Automatic JumpList files are OLE structured storage format files, and all but one of the streams follow the LNK file format. So, the file format is widely used on Windows systems, and the location of the file or stream provides some useful context that can also be applied to the content.
LNK files contain a good bit of metadata, as they contain shell items (as do other artifacts, such as shellbags), which are blobs of binary data that describe various objects on Windows systems. In the case of folder objects, specifically, one of the elements found to be embedded within the metadata is the MFT reference number for that folder object. This reference number is comprised of the record number (i.e., location within the MFT), as well as the sequence number (in short, "...this is the nth time this record has been used.")
Okay...so what?
Well, when it comes to artifacts of use, or more specifically, file access, the LNK files created as a result of user activity can remain on the system long after the files and applications with which they're associated have been removed or deleted. Say that you're investigating access to a particular file (by name or folder path) and your goal is to illustrate that the user had knowledge of that file. If the user accessed the file by double-clicking on it, an LNK file will have been created, and that file will persist well beyond the deletion of the target file itself. These artifacts will also persist beyond the removal of the associated application, as well.
This can be useful to us because it gives us something of a historical view of the file system. For example, let's say that the per the MFT, record number 2357, with sequence number 5, points to a folder on the user's desktop called "Personal Stuff". Now, suppose we find a LNK file that points to the fact that the user opened a file that was located in a folder named "Hacker Tools", and the MFT reference number extracted from the LNK file is 2357/4, or 2357/3. This provides us with a view of what the file system used to look like, giving us something a historical "smear" of the file system.
Also, these LNK files can provide information regarding external devices, as well. The basic shell items are created in the user's shellbags when they use Windows Explorer to navigate folders on an external device, such as a USB thumb drive, USB-connected smartphone, etc. Then if they open files, shell items are created to populate LNK files pointing to those files.
Adversary Persistence
Adversaries have been observed persisting beyond password updates by modifying the iconfile name attribute of an LNK file to point to a resource that they (the adversary) control. What happens if the LNK file is at the root of a directory is that when a user/admin browsers to the folder, Windows parses the file and attempts to load the icon from the remote resource, using the user's credentials to authenticate, first via SMB, and then via WebDAV.
Other Ways To Use LNK Files
"Using" LNK files can apply to the adversary, as well as to an analyst (DFIR, intel, etc.). There's this write-up on Kovter, describing how the adversary uses/used LNK files, and there's this BitOfHex blog post describing how to derive intel from LNK files. There's also hexacorn's older blog post regarding the use of hotkeys and LNK files, and this USCERT alert that describes the use of the adversary persistence technique described above (not 'new' or an 'other' use, but placed here as an illustration).
This got me to thinking...taking a step back, how else can LNK files be used?
DFIR Analysis
Some DFIR analysts are aware of the fact that when analyzing Windows systems, you're going to find Windows shortcut/LNK files in a number of locations. For example, there're the user's desktop, the user's Recent folder, etc. In addition, Automatic JumpList files are OLE structured storage format files, and all but one of the streams follow the LNK file format. So, the file format is widely used on Windows systems, and the location of the file or stream provides some useful context that can also be applied to the content.
LNK files contain a good bit of metadata, as they contain shell items (as do other artifacts, such as shellbags), which are blobs of binary data that describe various objects on Windows systems. In the case of folder objects, specifically, one of the elements found to be embedded within the metadata is the MFT reference number for that folder object. This reference number is comprised of the record number (i.e., location within the MFT), as well as the sequence number (in short, "...this is the nth time this record has been used.")
Okay...so what?
Well, when it comes to artifacts of use, or more specifically, file access, the LNK files created as a result of user activity can remain on the system long after the files and applications with which they're associated have been removed or deleted. Say that you're investigating access to a particular file (by name or folder path) and your goal is to illustrate that the user had knowledge of that file. If the user accessed the file by double-clicking on it, an LNK file will have been created, and that file will persist well beyond the deletion of the target file itself. These artifacts will also persist beyond the removal of the associated application, as well.
This can be useful to us because it gives us something of a historical view of the file system. For example, let's say that the per the MFT, record number 2357, with sequence number 5, points to a folder on the user's desktop called "Personal Stuff". Now, suppose we find a LNK file that points to the fact that the user opened a file that was located in a folder named "Hacker Tools", and the MFT reference number extracted from the LNK file is 2357/4, or 2357/3. This provides us with a view of what the file system used to look like, giving us something a historical "smear" of the file system.
Also, these LNK files can provide information regarding external devices, as well. The basic shell items are created in the user's shellbags when they use Windows Explorer to navigate folders on an external device, such as a USB thumb drive, USB-connected smartphone, etc. Then if they open files, shell items are created to populate LNK files pointing to those files.
Adversary Persistence
Adversaries have been observed persisting beyond password updates by modifying the iconfile name attribute of an LNK file to point to a resource that they (the adversary) control. What happens if the LNK file is at the root of a directory is that when a user/admin browsers to the folder, Windows parses the file and attempts to load the icon from the remote resource, using the user's credentials to authenticate, first via SMB, and then via WebDAV.
Other Ways To Use LNK Files
"Using" LNK files can apply to the adversary, as well as to an analyst (DFIR, intel, etc.). There's this write-up on Kovter, describing how the adversary uses/used LNK files, and there's this BitOfHex blog post describing how to derive intel from LNK files. There's also hexacorn's older blog post regarding the use of hotkeys and LNK files, and this USCERT alert that describes the use of the adversary persistence technique described above (not 'new' or an 'other' use, but placed here as an illustration).
Subscribe to:
Posts (Atom)