Find Evil in 5 Easy Steps – Part2

In Part 1 we talked about Loki, Logparser and DeepBlueCLI for analyzing offline forensic artifacts in an effort to get the low hanging fruit left behind by most threat actors. Part 2 will focus on KAPE and Windows Registry analysis.

4. Parse all the things with KAPE!

KAPE is a free tool which helps DFIR analysts to collect evidence from live endpoints and analyze them. Fortunately, these two functions are independent and you can use KAPE for offline analysis of artifacts collected from any forensically sound tool. As we did in Part1, we are going to assume you have a collection of evidence from a victim endpoint which contains file system artifacts (e.g. MFT, EventLogs, Registry Files, etc). KAPE provides a command line version and GUI version which helps new users learn the syntax!

We will start by launching gKAPE.exe (the GUI version) and telling it we don’t want to collect new data (target options – left) but we only want to use the analysis mode (module options – right).

For “Module source” provide a path to your forensic collection (e.g. C:\temp\cases\inc1234\files\C)

For “Module destination” provide a path to the location where you would like the output files to be written (e.g. C:\temp\cases\inc123).

Next we will select several modules for parsing the registry, prefetch, amcache, etc. You can quickly filter the 100+ modules to find the items that may interest you. One quick way to focus on things usable on offline collections is to filter out any items from the Folder and Category “Live Response.” To access the advance filtering menu, click on the “ABC” icon in the top row. Select “Does not contain” and then type “live”. Repeat for both columns.

While browsing through the available modules double clicking on any of them will open a new dialogue which explains the details of what the module will do. The author or KAPE (Eric Zimmerman) helpfully put all his awesome parsers in one place (although some of them are duplicated in other modules). For today’s purposes, we are will select his modules in bulk by checking the box next to “!EZParser”

At this point, we are ready to kick off the simplest job for parsing tons of important data. The GUI helpfully provides the cmd equivalent at the bottom of the dialogue box. So you can copy/paste that into CMD or simply click “Execute”

This image has an empty alt attribute; its file name is image-3.pngThis image has an empty alt attribute; its file name is image-2.png

This will launch each of the following Eric Zimmerman parsers against your entire collection and create CSV formatted output for each of them by category. The parsers are as follows:

  • AmcacheParser
  • AppCompatCacheParser
  • EvtxECmd
  • JLECmd
  • LECmd
  • PECmd
  • RBCmd
  • SBECmd
  • RecentFileCacheParser
  • RECmd
  • WxTCmd
  • MFTECmd

KAPE will created a folder structure within the destination directory you specified above by category. Like so:

…. etc.

KAPE provides a ton more options and is extensible for your own tools/code. I will cover more on that in a future post. For now, let’s pause here. Now that we have extracted tons of human friendly data from our collection, let’s set it aside for later use.

5. Registry Searching Cheats

The buzz word “fileless malware” has gained traction in the last 5 years as threat actors have begun to rely more heavily on “living of the land” and minimizing their footprint on disk. In addition to using native OS commands many threat actors are using the registry for code configuration, credentials, persistence, and even to store shellcode.

With a few quick RECmd queries we can cover several of these techniques. RECmd is Eric Zimmerman’s standalone command line tool for forensic registry analysis. It is closely tied to Registry Explorer which a grahpical interface to allow deeper analysis.

Since you know how to read help menus, I’ll spare you the background, if you promise to launch RECmd.exe /? and read the instructions. Since this is a “Tips and Tricks” blog, I’ll cut straight to the sweet sweet commands:

#Query HKCU for records of exes in suspicious locations:

RECmd.exe --f  "C:\Temp\Cases\inc123\files\C\users\user1\NTUSER.DAT" --regex --sv "(\\programdata\\.+\.exe|\\temp\\.+\.exe|\\users\\.+\.exe)"

This works nicely for a single hive (using the –f option). However, RECmd also let’s us run the same query against our WHOLE collection and it finds all relevant hives and parses them! Let’s also add some additional file extensions which are often suspcisious!

#Query entire collection for registry records of exes in suspicious locations.
# adjust the list of extensions to suite your need. some of them can be very noisy.

RECmd.exe --d  "C:\Temp\Cases\inc123\files\C" --regex --sa "(\\programdata\\.+\.|\\temp\\.+\.|\\users\\.+\.)(exe|bat|lnk|ps1|cmd|com|vbs|js|jse|wsh|mht|htm|hta|vba|vbe|scr|cpl|msc|jar|vb|reg)"

Finally, we want to search all our registry artifacts for encoded and/or oversized data values. These could be an indication that shell code has been placed in the registry. RECmd can make quick work of this with the following queries:

#Find base64 encoded data values in all registry artifacts with size > 10KB
RECmd.exe --d  "C:\Temp\Cases\inc123\files\C"  --Base64 10000

#Find any data values in all registry artifacts with size > 100KB
RECmd.exe --d  "C:\Temp\Cases\inc123\files\C"  --MinSize 100000

If any suspicious items are detected, you can use the CSV files you created earlier and/or Registry Explorer to examine them further.

With these 5 steps you can triage most security incidents where you have been provided an offline collection of evidence for a modern windows system. Most attackers are loud and leave a large footprint. These steps will help you find those footprints more quickly and determine if additional investigation is needed.

What are some things I should have included? Leave comments with your thoughts or your approach to triaging security incidents.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s