{"id":2834,"date":"2015-02-18T19:29:37","date_gmt":"2015-02-18T19:29:37","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2834"},"modified":"2018-12-15T00:51:31","modified_gmt":"2018-12-15T00:51:31","slug":"detecting-apt-remnants-in-mft","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/02\/18\/detecting-apt-remnants-in-mft\/","title":{"rendered":"Detecting APT remnants in $MFT"},"content":{"rendered":"<p><strong>Update 2018-12-15<\/strong><\/p>\n<p>This tool was an experiment; please do not use it anymore as it produces unreliable reports; the tool has not been updated for many years. Use modern AV\/EDR software instead. Thanks!<\/p>\n<p><strong>Old Post<\/strong><\/p>\n<p>In a post from 2012 I introduced a simple tool that <a title=\"$MFT scanning for fun and err\u2026 Flame\" href=\"https:\/\/www.hexacorn.com\/blog\/2012\/05\/31\/mft-scanning-for-fun-and-err-flame\/\">was scanning $MFT for traces of flame<\/a>.<\/p>\n<p>Today i decided to update the list of file names the tool recognizes to include:<\/p>\n<ul>\n<li>the latest in many APT campaigns &#8211; credit goes to kbandla @ <a href=\"https:\/\/github.com\/kbandla\/APTnotes\/\">https:\/\/github.com\/kbandla\/APTnotes\/<\/a><\/li>\n<li>some tools typically used by hackers (their full and short file names)<\/li>\n<li>&#8216;stashed data&#8217; file names e.g. &#8216;1.rar&#8217;<\/li>\n<li>other file names commonly used by hackers [lots of generic names]<\/li>\n<\/ul>\n<p>This is an experimental tool so do not jump if you see something in RED (well, you should not anyway, cuz it could mean you got pwned).<\/p>\n<p>Just assess it and take it from there &#8211; look for the file names highlighted by HCD on your drive. If you can&#8217;t find it, use a forensic tool to export a full list of file names. p.s. I will add a feature to include full paths in future versions &#8211; code is ready, but needs some more polishing.<\/p>\n<p>In any case, if you you see something red you should probably look at your system anyway&#8230; If you find bugs, or False Positives pls let me know. Thanks.<\/p>\n<p>Download the tool from <a href=\"https:\/\/hexacorn.com\/download.php?f=hcd.exe\">here<\/a>.<\/p>\n<p><strong>Example:<\/strong><\/p>\n<p>HCD ran on the system where DoubleFantasy installer was executed previously; system also contains various reversing tools e.g. ollydbg.exe and bintext.exe:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/02\/pic1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-2840 size-medium\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/02\/pic1-300x203.png\" alt=\"pic\" width=\"300\" height=\"203\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/02\/pic1-300x203.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/02\/pic1.png 714w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Last, but not least, I am aware of some bugs, but better have something than nothing to fight clowns writing malware for governments&#8230;<\/p>\n<p><strong>What&#8217;s next?<\/strong><\/p>\n<p>If you suspect something &#8216;funny&#8217; you can use the following tools to extract a full filelist from $MFT:<\/p>\n<ul>\n<li><a href=\"https:\/\/code.google.com\/p\/mft2csv\/downloads\/list\">mft2csv<\/a><\/li>\n<li>fls from the <a href=\"http:\/\/www.sleuthkit.org\/sleuthkit\/download.php\">Sleuthkit kit<\/a><\/li>\n<li><a href=\"http:\/\/accessdata.com\/product-download\/digital-forensics\">FTK Imager<\/a><\/li>\n<\/ul>\n<p>Another way to test your system is by running <a href=\"https:\/\/github.com\/Neo23x0\/Loki\">LOKI<\/a> by\u00a0Florian Roth &#8211; a tool that scans your system for IOCs (Indicators Of Compromise) for many well-known APT campaigns.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update 2018-12-15 This tool was an experiment; please do not use it anymore as it produces unreliable reports; the tool has not been updated for many years. Use modern AV\/EDR software instead. Thanks! Old Post In a post from 2012 &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/02\/18\/detecting-apt-remnants-in-mft\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,19,24,9,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2834"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2834"}],"version-history":[{"count":9,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2834\/revisions"}],"predecessor-version":[{"id":5673,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2834\/revisions\/5673"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2834"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}