Approach
Run a tool to collect all the artefacts for this OS (for example, autorunc.exe
for Windows) on the machines in question. Whenever possible, I use CSV format as output because it can be imported either in a SIEM, TimeLine Explorer (Windows) or Numbers/Excel/Google sheets. I prefer the last option because of its pivoting functionality, and it is much easier to deploy.
- Open each file (if there are not too many)
- Filter for untrusted or missing vendors. Such vendors as Google and Firefox might be used to trick the user. It would look like `(Not verified) Firefox.
- Show those enabled ones (if applicable)
- Look at the image path, and use the FindEvil SANS poster or your baseline system profile as a reference for known good to find what’s bad
- Look at the hashes and check against known-good.
- Check with a supernova, google Publishes and Description
- Frequency analysis. What stands out? (see the following sections). Find possible suspicious or malicious things.
- Check the triage files from other machines for the same IoCs (
Select-String
,grep
etc).
- Stacking (frequency-based outlier analysis)
- Frequency analysis. What stands out? (see the following sections)
ð If the file doesn’t have an image path (File not found), it’s likely it was moved/deleted and thus is not an active threat.
Suspicious Things (Windows)
- Non-system executables like OneDrive are in the
System32
directory (Windows) or not inApplications
(macOS) or/opt
(Linux). - Files with meaningless names and usually one letter or 1 number like
1.bat
or2.exe
ora.exe
. - Be especially careful with drivers/daemons since they have the most power.
- WMI entries are also worth checking (Windows only)
- Executables and scripts in a temp directory
Windows
Kansa PowerShell script Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1
.
<#
.SYNOPSIS
Get-ASEPImagePathLaunchStringStack.ps1
Requires logparser.exe in path
Pulls frequency of autoruns based on ImagePath, LaunchString and MD5 tuple
where the publisher is not verified (unsigned code) and the ImagePath is
not 'File not found'
This script expects files matching the *autorunsc.txt pattern to be in the
current working directory.
.NOTES
DATADIR Autorunsc
#>
if (Get-Command LogParser.exe) {
$lpquery = @"
SELECT
COUNT([Image Path], [Launch String], MD5) as ct,
[Image Path],
[Launch String],
MD5,
Signer
FROM
*autorunsc.csv
WHERE
Signer not like '(Verified)%' and
([Image Path] not like 'File not found%')
GROUP BY
[Image Path],
[Launch String],
MD5,
Signer
ORDER BY
ct ASC
"@
& logparser -stats:off -i:csv -dtlines:0 -o:csv "$lpquery"
} else {
$ScriptName = [System.IO.Path]::GetFileName($MyInvocation.ScriptName)
"${ScriptName} requires logparser.exe in the path."
}
Logparser needs to be installed for it to run. Run this script in the directory with the *-Autorunsc.csv
files. It will merge all the info into one file. Perform frequency analysis against this consolidated data and note anything run on one system only (sort or filter by the cnt
column). Once the processes of interest have been identified, run the Powershell script to see which machine this process was run on:
Select-String "processname" *-Autorunsc.csv
There is also a Get-LogparserStack.ps1
script which is more general and allows you to parse and merge different logs so long as they have the same structure.
.\Get-LogparserStack.ps1 -FilePattern *SvcAll.csv -Delimiter "," -Direction asc -OutFile SvcAll-workstation-stack.csv
You will be asked to Enter the field to pass to COUNT()
. This needs to be some column that identifies the processes uniquely, not the row! For example, it’s the process name. Then you will be prompted to Enter the fields you want to GROUP BY, one per line. Enter "quit" when finished
. You can group by any column and also combine several of them. For example, group by Name, DisplayName and Path (for some process logs) or by IP and user id for some application logs.
When you specify columns to group by using the “GROUP BY” option in the script, Log Parser will group all log entries that have the same value for the specified columns into a single group. The script then calculates the number of hits and bytes transferred for each group. ChatGPT
You’ll see the columns specified as GROUP BY
options in the output. So, for example, in the case of some accesslogs.txt
files, we can group by method, URL and HTTP status code returned. That means the script will group all entries where the method, URL and status code are the same, then calculate the number of entries there and then list the aggregated results. It’s something like pivot tables in Excel or Numbers.
See more here - https://trustedsignal.blogspot.com/2015/03/kansa-get-logparserstackps1.html.
When the entries of interest are found, use Select-String <full-or-partial-entry-name>
in the folder with all the csv
files to find machines with the suspicious artefact.