Links
Plugin Update
Thanks to input (and a couple of hives) from two co-workers yesterday, I was able to update the appcompatcache.pl RegRipper plugin to work correctly with Windows 10 systems. In one case, the hive I was testing was reportedly from a Surface tablet.
Last year, Eric documented the changes to that he'd observed in the structure format from Windows 10; they appear to similar to Windows 8.1.
Something interesting that I ran across was similar to the last two images in Eric's blog post; specifically, the odd entries that appeared similar in format to (will appear wrapped):
00000000 0004000300030000 000a000028000000 014c 9E2F88E3.Twitter wgeqdkkx372wm
If you look closely at the entries in the images from Eric's blog, you'll see that the time stamp reads "12/31/1600 5:00:00pm -0700". Looking at the raw data for one of the examples I had available indicated that the 64-bit time stamp was "00 09 00 00 00 00 00 00". The entry at the offset should be a 64-bit FILETIME object, but for some reason with the oddly-formatted entries, what should be the time stamp field is...something else. Eric's post is from April 2015 (almost a year ago) and as yet, there doesn't appear to have been any additional research conducted as to what these entries refer to.
For the appcompatcache.pl plugin, the time stamp is not included in the output if it's essentially 0. For the appcompatcache_tln.pl plugin, the "0" time stamp value is still be included in TLN output, so you'll likely have a few entries clustered at 1 Jan 1970.
Hunting for Executable Code in Windows Environments
I ran across this interesting blog post this morning. What struck me most about it is that it's another means for "hunting" in a Windows environment that looks to processes executing on the endpoint.
This tool, PECapture (runs as a GUI or a service), captures a copy of the executable, as well as the execution time stamp and a hash.
I have to say that as much as I think this is a great idea, it doesn't appear to capture the full command line, which I've found to be very valuable. Let's say an adversary is staging the data that was found for exfil, and uses a tool like WinRAR; capturing the command line would also allow you to capture the password they use. In a situation like that, I don't need a copy of rar.exe (or whatever it's been named to...), but I do need the full command line.
I think that for the time being, I'll continue using Sysmon, but I add that if you're doing malware testing, having both Sysmon and PECapture running on your test system might be a very good idea. One of the things that some malware will do is run intermediate, non-native executables, which are then deleted after use, so having the ability to capture a copy of the executable would be very useful.
I do think that it's interesting that this tool is yet another does part of what Carbon Black does...
Yet Another "From the Trenches"
I had to dig back further into the vault for one of my first "consulting" gigs...
Years and years ago (I should've started, "Once, in a galaxy far, far away...."), while I was still on active duty, I applied for and was able to attend the Naval Postgraduate School. While preparing to conduct testing and data collection for my master's thesis, I set up a small network in an unused room; the network consisted of a 10-Base2 network (server, two workstations) connected to a 10-BaseT network (server, 2 workstations), connected to Cisco routers, and the entire thing was connected to the campus 10-Base5 backbone via a "vampire" tap. The network servers were Windows NT 3.51, and the workstations were all Windows 95, running on older systems that I'd repurposed; I had spent considerable time searching the MS KnowledgeBase, just to get information on how to set up Win95 on most of the systems.
For me, the value of setting up this network was what I learned. If you looked at the curriculum for the school at the time, you could find six classes on "networking", spread across three departments...none of which actually taught students to set up a network. So for me, this was invaluable experience.
While I was processing out of the military, I spent eight months just hanging around the Marine Detachment at DLI. I was just a "floater" officer, and spent most of my time just making the Marines nervous. However, I did end up with a task...the Marine Commandant, Gen Krulak, had made the statement that Marines were authorized to play "Marine DOOM", which was essentially a Marine-specific WAD for DOOM. So, in the spring of '97, the Marine Det had purchased six Gateway computer systems, and had them linked together via a 10BaseT network (the game ran on a network protocol called "IPX"). The systems were all set up on a circular credenza-type desk, with six individual stations separated by partitions. I'd come back from exercising during lunch and see half a dozen Marines enthusiastically playing the game.
At one point, we had a Staff Sergeant in the detachment...I'm not sure why he was there, as he didn't seem to be assigned to a language class, but being a typical Marine SSgt, he began looking for an office to make his own. He settled on the game room, and in order to make the space a bit more usable, decided to separate the credenza-desk in half, and then turn the flat of each half against the opposite wall. So the SSgt got a bunch of Marines (what we call a "workin' party") and went about disassembling the small six-station LAN, separating the credenza and turning things around. They were just about done when I happened to walk by the doorway, and I popped my head in just to see how things were going. The SSgt caught my eye, and came over...they were trying to set the LAN back up again, and it wasn't working. The SSgt was very enthusiastic, as apparently they were almost done, and getting the LAN working again was the final task. So putting on my desktop support hat, I listened to the SSgt explain how they'd carefully disassembled and then re-assembled it EXACTLY as it had been before. I didn't add the emphasis with the word "exactly"...the SSgt had become much more enthusiastic at that word.
So I began looking at the backs of the computer systems nearest to me, and sure enough all of the systems had been connected. When I got to the system that was as the "end", I noticed that the coax cable had been run directly into the connector for the network card. I knew enough about networking and Marines that I had an idea of what was going on...and sure enough, when I moved the keyboard aside, I saw the t-connector and 50 ohm terminator sitting there. To verify the condition of the network, I asked the SSgt to try the command to test the network, and he verified that there was "no joy". I was reaching down into one of the credenza stations, behind the computer and no one could see what I was doing...I quickly connected the terminator to the t-connector, connected it to the jack on the NIC, and then reconnected the coax cable. I told the SSgt to try again, and was almost immediately informed (by the Marine's shouts) that things were working again. The SSgt came running over to ask me what I'd done.
To this day, I haven't told him. ;-)
Thanks to input (and a couple of hives) from two co-workers yesterday, I was able to update the appcompatcache.pl RegRipper plugin to work correctly with Windows 10 systems. In one case, the hive I was testing was reportedly from a Surface tablet.
Last year, Eric documented the changes to that he'd observed in the structure format from Windows 10; they appear to similar to Windows 8.1.
Something interesting that I ran across was similar to the last two images in Eric's blog post; specifically, the odd entries that appeared similar in format to (will appear wrapped):
00000000 0004000300030000 000a000028000000 014c 9E2F88E3.Twitter wgeqdkkx372wm
If you look closely at the entries in the images from Eric's blog, you'll see that the time stamp reads "12/31/1600 5:00:00pm -0700". Looking at the raw data for one of the examples I had available indicated that the 64-bit time stamp was "00 09 00 00 00 00 00 00". The entry at the offset should be a 64-bit FILETIME object, but for some reason with the oddly-formatted entries, what should be the time stamp field is...something else. Eric's post is from April 2015 (almost a year ago) and as yet, there doesn't appear to have been any additional research conducted as to what these entries refer to.
For the appcompatcache.pl plugin, the time stamp is not included in the output if it's essentially 0. For the appcompatcache_tln.pl plugin, the "0" time stamp value is still be included in TLN output, so you'll likely have a few entries clustered at 1 Jan 1970.
Hunting for Executable Code in Windows Environments
I ran across this interesting blog post this morning. What struck me most about it is that it's another means for "hunting" in a Windows environment that looks to processes executing on the endpoint.
This tool, PECapture (runs as a GUI or a service), captures a copy of the executable, as well as the execution time stamp and a hash.
I have to say that as much as I think this is a great idea, it doesn't appear to capture the full command line, which I've found to be very valuable. Let's say an adversary is staging the data that was found for exfil, and uses a tool like WinRAR; capturing the command line would also allow you to capture the password they use. In a situation like that, I don't need a copy of rar.exe (or whatever it's been named to...), but I do need the full command line.
I think that for the time being, I'll continue using Sysmon, but I add that if you're doing malware testing, having both Sysmon and PECapture running on your test system might be a very good idea. One of the things that some malware will do is run intermediate, non-native executables, which are then deleted after use, so having the ability to capture a copy of the executable would be very useful.
I do think that it's interesting that this tool is yet another does part of what Carbon Black does...
Yet Another "From the Trenches"
I had to dig back further into the vault for one of my first "consulting" gigs...
Years and years ago (I should've started, "Once, in a galaxy far, far away...."), while I was still on active duty, I applied for and was able to attend the Naval Postgraduate School. While preparing to conduct testing and data collection for my master's thesis, I set up a small network in an unused room; the network consisted of a 10-Base2 network (server, two workstations) connected to a 10-BaseT network (server, 2 workstations), connected to Cisco routers, and the entire thing was connected to the campus 10-Base5 backbone via a "vampire" tap. The network servers were Windows NT 3.51, and the workstations were all Windows 95, running on older systems that I'd repurposed; I had spent considerable time searching the MS KnowledgeBase, just to get information on how to set up Win95 on most of the systems.
For me, the value of setting up this network was what I learned. If you looked at the curriculum for the school at the time, you could find six classes on "networking", spread across three departments...none of which actually taught students to set up a network. So for me, this was invaluable experience.
While I was processing out of the military, I spent eight months just hanging around the Marine Detachment at DLI. I was just a "floater" officer, and spent most of my time just making the Marines nervous. However, I did end up with a task...the Marine Commandant, Gen Krulak, had made the statement that Marines were authorized to play "Marine DOOM", which was essentially a Marine-specific WAD for DOOM. So, in the spring of '97, the Marine Det had purchased six Gateway computer systems, and had them linked together via a 10BaseT network (the game ran on a network protocol called "IPX"). The systems were all set up on a circular credenza-type desk, with six individual stations separated by partitions. I'd come back from exercising during lunch and see half a dozen Marines enthusiastically playing the game.
At one point, we had a Staff Sergeant in the detachment...I'm not sure why he was there, as he didn't seem to be assigned to a language class, but being a typical Marine SSgt, he began looking for an office to make his own. He settled on the game room, and in order to make the space a bit more usable, decided to separate the credenza-desk in half, and then turn the flat of each half against the opposite wall. So the SSgt got a bunch of Marines (what we call a "workin' party") and went about disassembling the small six-station LAN, separating the credenza and turning things around. They were just about done when I happened to walk by the doorway, and I popped my head in just to see how things were going. The SSgt caught my eye, and came over...they were trying to set the LAN back up again, and it wasn't working. The SSgt was very enthusiastic, as apparently they were almost done, and getting the LAN working again was the final task. So putting on my desktop support hat, I listened to the SSgt explain how they'd carefully disassembled and then re-assembled it EXACTLY as it had been before. I didn't add the emphasis with the word "exactly"...the SSgt had become much more enthusiastic at that word.
So I began looking at the backs of the computer systems nearest to me, and sure enough all of the systems had been connected. When I got to the system that was as the "end", I noticed that the coax cable had been run directly into the connector for the network card. I knew enough about networking and Marines that I had an idea of what was going on...and sure enough, when I moved the keyboard aside, I saw the t-connector and 50 ohm terminator sitting there. To verify the condition of the network, I asked the SSgt to try the command to test the network, and he verified that there was "no joy". I was reaching down into one of the credenza stations, behind the computer and no one could see what I was doing...I quickly connected the terminator to the t-connector, connected it to the jack on the NIC, and then reconnected the coax cable. I told the SSgt to try again, and was almost immediately informed (by the Marine's shouts) that things were working again. The SSgt came running over to ask me what I'd done.
To this day, I haven't told him. ;-)