Category Archives: Forensic Analysis

Detecting APT remnants in $MFT

Posted on by

Update 2018-12-15

This tool was an experiment; please do not use it anymore as it produces unreliable reports; the tool has not been updated for many years. Use modern AV/EDR software instead. Thanks!

Old Post

In a post from 2012 I introduced a simple tool that was scanning $MFT for traces of flame.

Today i decided to update the list of file names the tool recognizes to include:

  • the latest in many APT campaigns – credit goes to kbandla @ https://github.com/kbandla/APTnotes/
  • some tools typically used by hackers (their full and short file names)
  • ‘stashed data’ file names e.g. ‘1.rar’
  • other file names commonly used by hackers [lots of generic names]

This is an experimental tool so do not jump if you see something in RED (well, you should not anyway, cuz it could mean you got pwned).

Just assess it and take it from there – look for the file names highlighted by HCD on your drive. If you can’t find it, use a forensic tool to export a full list of file names. p.s. I will add a feature to include full paths in future versions – code is ready, but needs some more polishing.

In any case, if you you see something red you should probably look at your system anyway… If you find bugs, or False Positives pls let me know. Thanks.

Download the tool from here.

Example:

HCD ran on the system where DoubleFantasy installer was executed previously; system also contains various reversing tools e.g. ollydbg.exe and bintext.exe:

pic

Last, but not least, I am aware of some bugs, but better have something than nothing to fight clowns writing malware for governments…

What’s next?

If you suspect something ‘funny’ you can use the following tools to extract a full filelist from $MFT:

Another way to test your system is by running LOKI by Florian Roth – a tool that scans your system for IOCs (Indicators Of Compromise) for many well-known APT campaigns.

SCCM (System Center Configuration Manager) and Incident Response – Part 2

Posted on by

Update

After I posted this piece Ryan (Thanks!) pinged me to highlight a few aspects related to SCCM which are worth mentioning, so I am adding some more notes below:

  • For performances reasons the indexing is often limited to certain directories and file extensions; this is a very important point and it’s good to review the inventory config and adjust it accordingly to your needs (if SCCM admins agree 🙂 )
    • I have seen inventories limited to .exe files, and multimedia files (e.g. mp3)
  • There is an option to copy files to SCCM
  • SCCM can be asked to query the environment for specific file names (even non .exe) – it is kinda similar to sweeps, but it’s relatively slow and quite a burden to the system
  • You may know SCCM as SMS (Systems Management Server), ConfigMgr 2012, ConfigMgr 2007 or ConfigMgr) – see wiki for more details

Old post

A while ago I wrote that SCCM can help IR guys to hunt for anomalies in the environment. I always wanted to come back to this topic with some more concrete examples so that I can show what is actually possible.

As mentioned in the first post – if you never used SCCM or don’t know what it is please ask your admin or whoever owns the ‘win’ platform in your company (the function may be called Desktop Management, Windows Admin, or sth along these lines) to give you the URL (and access rights) to the SCCM reporting tool.

The URL will lead you to a page where you can choose various reports presenting information about asset inventory of your company. I won’t cover the details here – all you need to do is to choose a specific report, fill-in the form and submit it to the web site. In return you will get the report.

An example form looks like this:

sccm1The screenshot comes from some random forum post so I hid the domain name to protect the innocent.

When you submit this form the data will be sent to the web site using a GET request. This is cool, because it means you can dynamically change them in your browser’s address bar – it’s easy to experiment with the variable holding the file name.

Let’s see how it works like in practice.

The URL to your SCCM report looks like this:

http://<SCCM>/Report.asp?ReportID=<###>

where:

  • SCCM = address of your SCCM reporting page – usually sth like “SMSReporting_<org name>/”
  • ### – a number assigned to the report called “Computers with a specific file” (find it on the main SCCM reporting page)

The data you provide is passed via an argument called ‘variable’.

Submitting an example query to show all computers that host ‘tor.exe’ could look like this:

http://<SCCM>/Report.asp?ReportID=<###>&variable=tor.exe

When the page comes back you can get 3 types of reports:

  • No report, because the page timed out 😉 – you need to use a different query (most likely, the tor.exe query won’t time out since the name is quite unique, but if you searched f.ex. for notepad.exe the chances are high).
Response object error 'ASP 0251 : 80004005'
Response Buffer Limit Exceeded
[...]
  • No results – this is usually good news, since it means there is no ‘tor.exe’ on any system
  • The actual list of systems hosting ‘tor.exe’ – these you need to chase after ASAP

The example report highlighting one system hosting ‘tor.exe’ looks like this:

sccm2

This is a good example of an actionable data. You can now go directly to the system and investigate. You can question the owner of the system. Finally, you can remove that ‘tor.exe’ instance from the system.

Obviously, to make the best use of the tool you need to know what queries to use. There is (luckily) a long list of tool names and programs both hackers and admins (as well as stupid users) use and you can start the hunting initiative querying f.ex. for:

http://<SCCM>/Report.asp?ReportID=<###>&variable=nmap.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=psexec.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=psexesvc.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=tor.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=vidalia.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=%25torrent%25.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=[0-9][0-9][0-9].exe

The last 2 examples contain wildcards (looking for torrent clients) and regular expressions (looking for 3-digit file names) – it is very handy that these are supported by SCCM – they not only help us with more complicated queries, but also narrow down the results (otherwise the time out will tell you your query was not that good 🙂 ).

Once you define what queries you want to run on regular basis you can automate it using Visual Basic Script, python, or whatever else you like. You can also start building white lists or exclusions lists. This is because SCCM has a tendency to keep some records ‘forever’ and even if you clean up the system sometimes you may find some old records ‘hanging’ in SCCM for a very long time. You can either delete them manually directly from SCCM DB, or just keep them there, and also use the aforementioned ‘ignore’ lists to automatically exclude these known systems / files from the output of your parser. Going even further you can report it to SIEM, or you can start sending alerts via email.

The web based report is cool, but it has a serious limitation. It only accepts very simple queries. You can add more fields to the form (e.g. location), but still, it will be quite difficult to use it on regular basis. This is because the inner workings of this form rely on a very simple SELECT query.

If you want more (and you should), the natural progression is therefore talking directly to the SQL Database. Once you know the DB schema you can start creating very specific queries f.ex.:

  • Show me all files added to any system that are dropped under c:\windows within last 8h
  • Show me all files dropped under user profile
  • Show me all files with a single letter file name
  • Show me all files made up of digits only
  • etc.

Using time intervals you can build automatic reports about all .exe files added within last XYZ hours. Eyeballing this may be a bit tricky (don’t be surprised to see gazillions of new .exes landing in your corporate environment every day), so implementing some ‘ignore’ lists may really come handy. In any case, the sky is the limit here and a bunch of SCCM queries ran on regular basis can become a very strong complementary detective security control. Note that you don’t need to install anything, build anything, run sweeps, etc. It’s all there, juicy data waiting to be queried.

Btw. if you are wondering why I am not providing example SQL queries it is because they will vary. Table names are usually organization-specific. If you are curious you can just google around for “sccm sql SoftwareFile” and you will find plenty of examples.

While SCCM can’t be obviously as flexible as a dedicated IR solution it can give you an edge if you don’t have plans /or budget/ to deploy something more IR-centric. Apart from a typical malware / hacking angle, it may also help you to keep systems ‘clean’ for auditing purposes, discover malicious insiders, and perhaps even win a few brownie points from your management.