Thursday, April 20, 2006

New ProScripts

The user forums at TechPathways were recently revamped and updated (WRT functionality). In the process, previous threads were lost. I've added a couple of ProScripts that you may find helpful...

One of the scripts parses through the Registry (the script makes the assumption that there is only one Windows image in the project, and only one Registry) and pulls out user SIDs. From there, it goes through the HKEY_USERS hive and parses out the UserAssist keys...you know, the ones with the values that are ROT-13 "encrypted". If possible, the script also pulls out timestamps from the value data. Here's an example of the output when I ran the script against the hacking case image:

UEME_RUNPATH:C:\Program Files\Cain\Cain.exe --> Fri Aug 27 15:33:02 2004
UEME_RUNPATH:C:\Program Files\Whois\whois.exe --> Thu Aug 26 15:13:57 2004
UEME_RUNPATH:C:\WINDOWS\System32\telnet.exe --> Thu Aug 26 15:05:15 2004
UEME_RUNPATH:C:\Program Files\Network Stumbler\NetStumbler.exe --> Fri Aug 27 15:12:35 2004
UEME_RUNCPL:"C:\WINDOWS\System32\appwiz.cpl",Add or Remove Programs --> Fri Aug 27 15:14:44 2004
UEME_RUNPATH:C:\Documents and Settings\Mr. Evil\Desktop\WinPcap_3_01_a.exe --> Fri Aug 27 15:15:08 2004
UEME_RUNPATH:C:\Documents and Settings\Mr. Evil\Desktop\ethereal-setup-0.10.6.exe --> Fri Aug 27 15:28:36 2004
UEME_RUNPATH:C:\Program Files\Ethereal\ethereal.exe --> Fri Aug 27 15:34:54 2004

So why is this important? Well, for one, it ties activity such as running executables to a specific user. This info is pulled right out of the NTUSER.DAT file, and is visible in ProDiscover under the HKEY_USERS hive.

This information can be correlated to the contents of the Prefetch directory (on XP systems, which perform application prefetching by default). I wrote a ProScript that would run through the Prefetch directory and list the .pf files. For each one, it retrieves and displays the last run timestamp and run count from the contents of the file. See the following excerpt from the output of the ProScript:

Name : CAIN.EXE-23D61279.pf
Last Run : Fri Aug 27 15:33:03 2004
Run Count : 2

Name : NETSTUMBLER.EXE-0BFEE568.pf
Last Run : Fri Aug 27 15:12:35 2004
Run Count : 1

Name : TELNET.EXE-24182D40.pf
Last Run : Thu Aug 26 15:05:15 2004
Run Count : 1

Name : WINPCAP_3_01_A.EXE-1E3EDEDC.pf
Last Run : Fri Aug 27 15:15:08 2004
Run Count : 1

Notice how the "Last Run" times from the .pf file correlate with the same time from the UserAssist key? So now, if we find an interesting .pf file in the Prefetch directory, we have a way to correlate it and tie it to a particular user. Of course, we can also use the Security Event Log for further correlation...if it is configured to audit logins.

Note that the Prefetch ProScript requires ProDiscover 4.642 (which should now be available) or greater. This is due to updates in one of the APIs.

Yet another ProScript copies the Event Log files out of the Windows\system32\config directory so you can use File::ReadEVT to pull out the data, collect statistics, etc. And I reposted the ProScript that parses V and F values out of the SAM file to determine user information and group membership.

No comments: