Beyond good ol’ Run key, Part 29

March 13, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

LNK files are used by malware for many years so there is not much new about it that can be said with regards to persistence.

Examples include:

  • Placing shortcut files in popular locations (Desktop, Start Menu)
  • Replacing an .exe path inside the .lnk files with one pointing to a malicious executable (‘man-in-the-middle’, or a variant of a companion virus)
  • Exploits (as used by Stuxnet)
  • Etc.

The following examples explore 2 more (but less popular) methods of leveraging LNK files as a persistence mechanism.

Hot Keys

The first one relies on Hot Keys. LNK files placed on a Desktop or in a Start Menu have an interesting property – they can register hot keys that may activate the respective lnk file i.e. launch them.

This was handy back in a day when icons on a desktop were hidden most of the time and using shortcuts allowed accessing the most popular applications w/o a need to minimize all windows, or browsing through the Start Menu. Today, the new Taskbar in Win7/8/10 + Windows+<number> combinations make this functionality pretty much obsolete. But it’s still there. And one can modify an existing Desktop/Start Menu shortcut, or create a new one that will point to a malware.

It will be activated anytime a specific combination of keys is hit.

Of course, which key combination to choose is a tricky part – a wrong choice could affect running applications. One can always explore possibilities by checking the Shortcut Key section on the Shortcut Properties Window. Interestingly, manually setting the keys will almost always include a CTRL+ALT prefix (added by the OS). It limits a range of popular keys that can be entered via Shortcut Properties Window (note: some keys f.ex. F1-F12 are not prefixed):

lnk0

One could bypass this restriction by setting the keys directly via COM object responsible for creation of shortcuts (IShellLink interface), or even manually modifying the .lnk file (on a binary level).

To demonstrate this trivial trick we can look at the following snippet of code.

set w = CreateObject("Wscript.shell")
d = w.SpecialFolders("Desktop")
set l = w.CreateShortcut(d + "\foo.lnk")
l.WindowStyle = 4
l.TargetPath = "c:\test\malware.exe"
l.Hotkey = "Captial"
l.Save

It leverages a COM IShellLink interface accessed via Visual Basic Script to create a shortcut to a c:\test\malware.exe file. The ‘malware’ will be activated anytime someone presses a CAPS LOCK. A trivia fact: ‘Captial’ is actually how VBS refers to a CAPS LOCK key.

This choice of key(s) is actually not that bad – people don’t use CAPS LOCK at all and at the same time – they often press it accidentally every once in a while. After some more tests it also looks that it does NOT affect running programs, so f.ex. if you type something, then press CAPS LOCK (malware runs), applications will still interpret CAPS LOCK and switch to capital letters. Pressing it again brings the small letters back (while malware executes again).

A kinda similar concept applies to F1 which could be used as an alternative (people don’t use a built-in Help that often either).

This is how the generated shortcut looks like in the Shortcuts Properties Window:

lnk1

And this is what happens when you hit Caps Lock:

lnk3aThe c:\test\malware.exe is a simple program showing a message box.

Command line modification

The other way one can exploit the .LNK files is by modifying not the path to the executable itself, but by changing the command line arguments. This is in fact a technique that is actively used by malicious plugins. They use this trick to patch .LNK files pointing the Google Chrome browser to load a malicious plugin via a modified command line. The command line switch that is added is ‘–load-extension’.

Chrome uses a lot of command line arguments that could be potentially abused the same way.

Win8 + Parental Control

March 3, 2015 in Forensic Analysis

One of the lesser known features of Windows 8 was an introduction of Parental Control. The idea is that you can change an account type to one that can be used by children. Such account can be then both managed by  parents and also (what’s very interesting) regularly monitored.

I was curious what it means from a forensic perspective and did a quick test to see what I can find out.

How to set it up?
  1. Create a new account.
    pc1
  2. Tick the box to mark it as child’s account
    pc2
  3. You are done.
  4. You can go to Account / User settings and set up the Family Safety options + activity reporting. By default, it’s all enabled.
    pc3
Testing
  1. Simply log off as a current user and log on as a child’s account
  2. What you will immediately see after logging on is a notification in the right corner of the screen saying ‘This account is monitored by Family Safety’
    pc4a
  3. Run a couple of apps
    Note: I didn’t test the web sites in this test; I am not 100% sure, but setting modification are probably traced as well – it’s all subject to further research
    In my case I ran:

    • cmd.exe, from there I ran calc.exe and spawned another copy of cmd.exe
    • In the new cmd.exe I ran notepad and again, started a new instance of cmd.exe
    • In the final cmd.exe instance, I launched mspaint/pbrush.exe
    • Eventually I also launched Task Manager via CTRL+SHIFT+ESC
    • I ran it this way hoping that PID relationship will be preserved
      pc8a
Analyzing the evidence
  1. I then logged off and logged on as Admin user to review the logs
  2. I went to the User Settings again and… saw this:
    pc9
  3. That was surprising :)
  4. I started Process Monitor and went back to the logs.
  5. Luckily, Process Monitor highlighted a file of interest:
    C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx
  6. Now it was easy. I opened it up in MMC:
    pcA2
  7. Looks like the Built-in reviewing panel ignores some Windows applications.
  8. While reviewing the data in MMC I noticed the events are NOT sorted according to time (granularity of time is too low and all timestamps are ‘equal'; this is kinda… stupid)
  9. Exporting to CSV and TSV doesn’t help as timestamps are truncated to granularity of seconds
  10. Exporting to XML does help as timestamps are preserved with fractions e.g. 2015-03-03T17:21:49.447501700Z so we can use it to sort events properly
  11. You can export the logs to an XML file via command line using wevtutil
    wevtutil qe /lf “c:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx” > xml
  12. Once you parse this data and cherry-pick what you need you can end up with a table as below (I loaded it into Excel and sorted it by time):
    pcB

Nice! So we got the log of all applications loaded during the test and following the sequence as listed earlier.

The SerializedApplication column contains a serialized pair of a full path to an executable followed by the window title of the application. The serialization seems to be based on an alphabet made up of 0-9a-z and each string is prefixed with two characters that represent the length of the string.

The best is to explain it via examples:

 000000000000000000000000000000000000111111111111111111111111111111111111
 0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz
05Paint
07Notepad
0nFirst Sign-in Animation
0pWindows Command Processor
0vc:\windows\system32\notepad.exe
17c:\windows\system32\oobe\firstlogonanim.exe

I am not sure what TimeUsed means (or, more precisely – how to interpret this value).

Configuration

Parents can specify what apps can be ran by a child. There is also a way to block content according to rating & only allow certain list of websites (web filtering). In other words, it can work as a (kinda primitive) security control to limit access to both web sites and applications. Other options include time limits and game usage restrictions.

Configuration of Parental Control is preserved under the following key:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls

pcC

Adding filters for web means that the entries will be created under the following key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls\Users\<SID>\Web\Overrides

pcdAnd similar rules apply to apps:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls\Users\<SID>\DesktopApps

pce

With the filtering on, we got yet another artifact to look at which may be handy in determining what applications have been used on the system and when.