Sunday, March 12, 2023

On Using Tools

I've written about using tools before in this blog, but there are times when something comes up that provokes a desire to revisit a topic, to repeat it, or to evolve and develop the thoughts around it. This is one of those posts. 

When I first released RegRipper in 2008, my intention was that once others saw the value in the tool, it would organically just grow on its own as practitioners found value in the tool, and sought to expand it. My thought was that once analysts started using it, they'd see the value proposition in the tool, and all see that the real power that comes from it is that it can easily be updated; "easily" by either developing new plugins, or seeking assistance in doing so.

That was the vision, but it's not something that was ever really realized. Yes, over time, some have created their own plugins, and of those, some have shared them. However, for the most part, the "use case" behind RegRipper has been "download and RUNALLTHETHINGS", and that's pretty much it.

On my side, there are a few assumptions I've made with respect to those using RegRipper, specifically around how they were using it. One assumption has been that whomever downloaded and is using the tool has a purposeful, intentional reason for doing so, that they understand their investigative goals and understand that there's value in using tools like RegRipper to extract information for analysis, to validate other findings and add context, and to use as pivot points into further analysis. 

Another assumption on my part is that if they don't find what they're looking for, don't find something that "helps", or don't understand what they do find, that they'll ask. Ask me, ask someone else. 

And finally, I assume that when they find something that either needs to be updated in a plugin, or a new plugin needs to be written to address something, that they'll do so (copy-paste is a great way to start), or reach out to seek assistance in doing so.

Now, I'm assuming here, because it's proved impossible to engage others in the "community" in a meaningful conversation regarding tool usage, but it appears to me that most people who use tools like RegRipper assume that the author is the expert, that they've done and seen everything, that they know everything, and that they've encapsulated all of that knowledge and experience in a free tool. The thing is, I haven't found that to be the case in most tools, and that is most definitely NOT the case when it comes to RegRipper.

Why would anyone need to update RegRipper? 

Lina recently tweeted about the need for host forensics, and she's 10,000% correct! SIEMs only collect those data sources that are pointed at them, and EDR tools can only collect and alert on so much. As such, there are going to be analysis gaps, gaps that need to be filled in via host forensics. And as we've seen over time, a lot changes about various endpoint platforms (not just Windows). For example, we've been aware of the ubiquitous Run keys and how they're used for persistence; however, there are keys that can be used to disable the Run key values (Note: the keys and values can be created manually...) without modifying the Run key itself. As such, if you're checking the contents of the Run key and stating that whatever is listed in the values was executed, without verifying/validating that information, then is this correct? If you're not checking to see if the values were disabled (this can be done via reg.exe), and if you're not validating execution via the Shell-Core and Application Event Logs, then is the finding correct? I saw the value in validating findings when determining the "window of compromise" during PCI forensic exams, because the finding was used to determine any regulatory fines levied against the merchant.

My point is that if you're running a tool and expecting it to do everything for you, then maybe there needs to be a re-examination of why the tool is being run in the first place. If you downloaded RegRipper 6 months ago and haven't updated it in any way since then, is it still providing you with the information you need? If you haven't added new plugins based on information you've been seeing during analysis, at what point does the tool cease to be of value? If you look closely at the RegRipper v3.0 distro available on Github, you'll notice that it hasn't been updated in over 2 1/2 yrs. I uploaded a minor update to the main engine a bit ago, but the plugins themselves exist as they were in August 2020. Since then, I've been developing an "internal" custom version of RegRipper, complete with MITRE ATT&CK and category mappings, Analysis Tips, etc. I've also started developing plugins that output in JSON format. However, all of these are things that either I proposed in 2019 and got zero feedback on, or someone close to me asked about. Not a week goes by when I don't see something online, research it, and it ends up in a plugin (or two, or five...).

If you're using a tool, any tool (RegRipper, plaso, etc.), do you understand it's strengths and weaknesses, do you understand what it does and does not do, or do you just assume that it gives you what you need?

2 comments:

Andreas said...

> If you're using a tool, any tool (RegRipper, plaso, etc.), do you understand it's strengths and weaknesses, do you understand what it does and does not do, or do you just assume that it gives you what you need?

As written in a current article I read. Replace „foe search“ with „for forensic“…

So far, the direction of travel for search is clear: scrutinize sources less and trust what you’re told more.

H. Carvey said...

Andreas,

> Cool news, I'm interested to use it of course.

Like I said, it's internal. RegRipper has been included in courses and distros, all without feedback and precious few developing new plugins. Further, it was even embedded in a commercial tool last year. I'm not sure I want to keep providing something like that for free.

> How do you train your fellow analysts on these topics ...

I'm not sure you can. Information can be provided, but if others are unwilling to pick up the tools, there's little that can be done to change that.

> In my experience, only a few in a team are able to access forensic tools like that because of the specialized knowledge required to answer these questions.

I agree that few do, but there really isn't any "specialized knowledge" required. You first have to start with your analysis goals...if you can't define what it is you're looking for, *why* you're doing the work in the first place, then what's the point?

> If you don't have dedicated persons for such advanced topics like artifact knowledge...

But do you really *need* such a person? Well, maybe some teams, particularly those that do not have dedicated security/DFIR personnel, that may be the case.

> Do you see a chance that we improve the collaboration...

I'm not sure that's going to be something that's done, because it's not something that the "community" appears to be entirely interested in.

For example, over the years, I've checked in on plaso, and in 2020, verified that it didn't parse the WMI repository/OBJECTS.DATA file. The team that was using it at the time was using it as part of CyLR; the data collection phase was collecting the the OBJECTS.DATA file, and when I asked the analysts if they found WMI persistence in Kibana (the backend), they said, "no". However, that was to be expected, because (at the time), the OBJECTS.DATA file wasn't being parsed.

In my experience, the real issue is that many analysts (SOC, DFIR, etc.) don't have a grasp of their analysis goals...what they're trying to prove or disprove. This is the starting point for everything, and from there, we can build playbooks.