Logo
RSS Feed

Collection

Created: 03.06.2023

*There are a lot of techniques to become persistent on a Windows machine. You can refer to the persistence and escalation mechanisms article or look those up on the MITRE website. Although it’s important to know the artefacts themselves and the technique, it would be hard to collect them all manually. *

Windows

To collect autorun artefacts on Windows, run the following command:

autorunsc -v [options] > result.csv

Run a tool to collect all the artefacts for this OS (for example, autorunc.exe for Windows) on the machines in question. I use CSV format as output whenever possible because it can be imported in a SIEM, TimeLine Explorer (Windows) or Numbers/Excel/Google Sheets. I prefer the last option because its pivoting functionality is much easier to deploy.

  1. Open each file (if there are not too many)
    1. Filter for untrusted or missing vendors. Such vendors as Google and Firefox might be used to trick the user. It would look like `(Not verified) Firefox.
    2. Show those enabled ones (if applicable)
    3. Look at the image path, and use the FindEvil SANS poster or your baseline system profile as a reference for known good to find what’s bad
    4. Look at the hashes and check against known-good.
    5. Check with a supernova, google Publishes and Description
    6. Frequency analysis. What stands out? (see the following sections). Find possible suspicious or malicious things.
    7. Check the triage files from other machines for the same IoCs (Select-String, grep etc).
  2. Stacking (frequency-based outlier analysis)
  3. Frequency analysis. What stands out? (see the following sections)

🗒 If the file doesn’t have an image path (File not found), it’s likely it was moved/deleted and thus is not an active threat.

What’s suspicious?

  • Non-system executables like OneDrive are in the System32 directory (Windows) or not in Applications (macOS) or /opt (Linux).
  • Files with meaningless names and usually one letter or 1 number like 1.bat or 2.exe or a.exe.
  • Be especially careful with drivers/daemons since they have the most power.
  • WMI entries are also worth checking (Windows only)
  • Executables and scripts in a temp directory

Kansa PowerShell script Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1.

<#
.SYNOPSIS
Get-ASEPImagePathLaunchStringStack.ps1
Requires logparser.exe in path

Pulls frequency of autoruns based on ImagePath, LaunchString and MD5 tuple
where the publisher is not verified (unsigned code) and the ImagePath is
not 'File not found'

This script expects files matching the *autorunsc.txt pattern to be in the
current working directory.
.NOTES
DATADIR Autorunsc
#>


if (Get-Command LogParser.exe) {
    $lpquery = @"
    SELECT
        COUNT([Image Path], [Launch String], MD5) as ct,
        [Image Path],
        [Launch String],
        MD5,
        Signer
    FROM
        *autorunsc.csv
    WHERE
        Signer not like '(Verified)%' and
        ([Image Path] not like 'File not found%')
    GROUP BY
        [Image Path],
        [Launch String],
        MD5,
        Signer
    ORDER BY
        ct ASC
"@

    & logparser -stats:off -i:csv -dtlines:0 -o:csv "$lpquery"

} else {
    $ScriptName = [System.IO.Path]::GetFileName($MyInvocation.ScriptName)
    "${ScriptName} requires logparser.exe in the path."
}

Logparser needs to be installed for it to run. Run this script in the directory with the *-Autorunsc.csv files. It will merge all the info into one file. Perform frequency analysis against this consolidated data and note anything run on one system only (sort or filter by the cnt column). Once the processes of interest have been identified, run the Powershell script to see which machine this process was run on:

Select-String "processname" *-Autorunsc.csv

There is also a Get-LogparserStack.ps1 script which is more general and allows you to parse and merge different logs so long as they have the same structure.

.\Get-LogparserStack.ps1 -FilePattern *SvcAll.csv -Delimiter "," -Direction asc -OutFile SvcAll-workstation-stack.csv

You will be asked to Enter the field to pass to COUNT(). This needs to be some column that identifies the processes uniquely, not the row! For example, it’s the process name. Then you will be prompted to Enter the fields you want to GROUP BY, one per line. Enter "quit" when finished. You can group by any column and also combine several of them. For example, group by Name, DisplayName and Path (for some process logs) or by IP and user id for some application logs.

When you specify columns to group by using the “GROUP BY” option in the script, Log Parser will group all log entries that have the same value for the specified columns into a single group. The script then calculates the number of hits and bytes transferred for each group. ChatGPT

You’ll see the columns specified as GROUP BY options in the output. So, for example, in the case of some accesslogs.txt files, we can group by method, URL and HTTP status code returned. That means the script will group all entries where the method, URL and status code are the same, then calculate the number of entries there and then list the aggregated results. It’s something like pivot tables in Excel or Numbers.

See more here - https://trustedsignal.blogspot.com/2015/03/kansa-get-logparserstackps1.html.

When the entries of interest are found, use Select-String <full-or-partial-entry-name> in the folder with all the csv files to find machines with the suspicious artefact.

References

Expand… Something here