En Windows 7 el número de logs de eventos, que podemos encontrar en la carpeta c:\Windows\System32\ winevt\Logs, se ha disparado en relación a lo que encontrábamos en Windows XP.
Estos eventos son una fuente de información imprescindible cuando investigamos tanto acciones de un usuario como acciones llevadas a cabo por malware.
Para poder trabajar cómodamente con ellos he recurrido a varias herramientas ajenas al S.O. pero con el tiempo y el uso he encontrado problemas siempre: o bien a veces no extraían toda la información que contenían los logs o bien problemas relacionados con la conversión de la fecha-hora.
Así que al final he optado por usar la propia herramienta de Windows wevtutil.exe junto con un par de transformaciones para hacer manejable la salida.
El primer problema es el de extraer los logs del equipo. Para no perder información de fuentes de logs que sean específicas del equipo hay que realizar su tratamiento en la misma antes de llevárnoslos.
Para ello primero extraigo los logs, los convierto a texto y los almaceno con toda la información de sus fuentes para poder reabrirlos en otra máquina con toda su información aunque no tenga esas fuentes. El formato de texto lo he elegido porque me parece el más equilibrado en cuanto a información y facilidad de proceso. En cualquier caso siempre dispondré de los logs almacenados si necesitara profundizar en alguno en concreto.
La mejor herramienta para esto es wevtutil.exe. En algún lugar he visto que cuando realizan la copia de los logs eliminan los que tienen el tamaño de 69.632 bytes porque están vacíos y esto es un error. La inmensa mayoría de ellos es cierto que no contienen nada útil pero hay algunos que si, por lo que hasta no realizar su tratamiento es mejor no borrar nada. Aparte de eso hay que efectuar algún renombrado porque los nombres de los logs son un poco "especiales".
El bat que ejecuto es:
REM Captura todos los EventLogs y los almacena y vuelca a texto
@echo off
mkdir .\LogFiles
pushd .\LogFiles
FOR /F "tokens=1,2 delims=%%4." %%a IN ('dir /b c:\windows\system32\winevt\Logs') DO (
IF [%%b] == [] (
wevtutil.exe epl "%%a" "%%a".evtx
)
IF %%b == evtx (
wevtutil.exe epl "%%a" "%%a".evtx
) ELSE (
wevtutil.exe epl "%%a/%%b" "%%a_%%b".evtx
)
)
for /R %%G IN (*.evtx) DO (
REM Opcional: Sacar la información a texto
wevtutil.exe qe "%%G" /f:text /lf:true > "%%~nxG".txt
REM y almacenando
wevtutil.exe al "%%G"
)
echo on
popd
Una vez extraído el contenido de los logs tenemos una colección de información del tipo:
Event[]:
Log Name:
Source:
Date:
Event ID:
Task:
Level:
Opcode:
Keyword:
User:
User Name:
Computer:
Description:
Esto en principio no es muy manejable por lo que para poder incorporarlo a un timeline le aplico el siguiente programa escrito en perl:
use warnings;
use strict;
open(ALL, '>:encoding(cp1252)',"AllEventLogs-LocalT.csv");
while (<STDIN>) {
chomp;
my $file = $_;
my $tmpFile = $file.".tmp";
my $tsvFile = $file.".tsv";
my $csvFile = $file."-LocalT.csv";
open(OUT, '>:encoding(cp1252)',"$tmpFile");
open(F, '<:encoding(cp1252)', $file) or die "Can't read file '$file' [$!]\n";
while (<F>) {
my $linea = $_;
$linea =~ s/\r|\n|\t//g;
$linea =~ s/"/'/g;
$linea =~ s/Event\[.*\]:/\n/g;
print OUT $linea
}
close(F);
close(OUT);
open(OUT, '>:encoding(cp1252)',$tsvFile);
open(F, '<:encoding(cp1252)', $tmpFile) or die "Can't read file '$file' [$!]\n";
while (<F>) {
my $linea = $_;
$linea =~ s/\s{2}Log Name:\s//g;
$linea =~ s/\s{2}Source:\s/\t/g;
$linea =~ s/\s{2}Date:\s/\t/g;
$linea =~ s/\s{2}Event ID:\s/\t/g;
$linea =~ s/\s{2}Task:\s/\t/g;
$linea =~ s/\s{2}Level:\s/\t/g;
$linea =~ s/\s{2}Opcode:\s/\t/g;
$linea =~ s/\s{2}Keyword:\s/\t/g;
$linea =~ s/\s{2}User:\s/\t/g;
$linea =~ s/\s{2}User Name:\s/\t/g;
$linea =~ s/\s{2}Computer:\s/\t/g;
$linea =~ s/\s{2}Description:\s/\t/g;
print OUT $linea
}
close(F);
close(OUT);
unlink ($tmpFile);
open(OUT, '>:encoding(cp1252)',$csvFile);
open(F, '<:encoding(cp1252)', $tsvFile);
while (<F>) {
next if $_ =~ /^$/;
my @fields = split(/\t/, $_);
my @custDateTime = split(/T/, $fields[2]);
$custDateTime[0] =~ s/^(\d{4})-(\d{2})-(\d{2})/$2\/$3\/$1/g;
$fields[11] =~ s/\r|\n//g;
my $salida = join(",",$custDateTime[0],$custDateTime[1],"Local","MACB","EVTX",$fields[1]."[".$fields[0]."]",$fields[5],$fields[9].":".$fields[8],$fields[10],"EventID: ".$fields[3],'"'.$fields[4]."-".$fields[11]."-".$fields[6]."Keyword:".$fields[7].'"',"-","-","-","-","-","-");
print OUT $salida."\n";
print ALL $salida."\n";
}
close(F);
close(OUT);
unlink ($tsvFile);
}
close(ALL);
Y como último paso transformo los valores fecha-hora, que están en modo local, a UTC y le agrego las cabeceras del formato log2timeline "date, time, timezone, MACB, source, sourcetype, type, user, host, short, desc, version, filename, inode, notes, format, extra" usando el siempre útil Logparser:
logparser "SELECT Field1 as date,STRCAT(TO_STRING(TO_TIME(TO_UTCTIME(TO_TIMESTAMP(ADD(Field1,Field2), 'MM/dd/yyyyHH:mm:ss.ll'))),'HH:mm:ss'),STRCAT('.',EXTRACT_SUFFIX(Field2,0,'.'))) as time,REPLACE_STR(Field3,'Local','GMT') as timezone,Field4 as MACB,Field5 as source,Field6 as sourcetype,Field7 as type,Field8 as user,Field9 as host,Field10 as short,Field11 as desc,Field12 as version,Field13 as filename,Field14 as inode,Field15 as notes,Field16 as format,Field17 as extra INTO AllEventLogs-GMT.csv FROM AllEventLogs-LocalT.csv" -i:csv -o:csv -headerRow:OFF
A pesar de todo el embrollo en unos segundos tenemos todos los logs en formato log2timeline y perfectamente empaquetados con toda la información específica de las fuentes para poder reabrirlos en cualquier otro equipo.
9 Feb 2015
29 Jan 2015
MFTF.
The name now is mftf.exe. I'm not using any more the FSCTL_ENUM_USN_DATA method. Now I only parse the $MFT file.
Some changes to the program and some bugs fixed.
https://github.com/ignacioj/mftf
The options now are:
Options:
-d drive_letter............................Search/copy files from this logical unit.
-h........................................This help.
-f "string1[|string2 with spaces|string3?...]".....Find file/directory/ADS names with any of the strings.
-f "d:\folder\string" .....The path will limit the results to the subfolders.
The match is always case insensitive.
" as delimiters for the whole group of strings.
| is the boundary between strings.
? al the end of the string specifies an exact coincidence.
-ff file.txt....................The strings to search for are in file.txt.
One string per line, no separator, use ? as needed.
-fr string......................Find the string doing a raw search in the 1024 bytes of the MFT record.
It will report coincidences in the unallocated space of the MFT record.
-fads...........................Find all the ADSs in the logical unit.
>Can be used with any of the previous find options:
-fx..................................Save the results in a file in order to use the option -c.
-ft..................................Show the results in timeline format.
-i full_path_to_file/directory.......Show information about the path.
-i record_number.....................Show information of the MFT record.
-w record_number.....................Write on screen the 1024 bytes of the MFT record.
-c "reference1[|reference2...]"......Copy the file/s referenced to this folder.
| is the separator.
-c list.txt..........................Copy all the files referenced in the file list.txt.
Each line MUST start with: reference + [TAB].
-cr record_number....................Copy the 1024 bytes of the MFT record to this folder.
Examples:
> MFT-fileoper.exe -d e: -f "svchost|mvui.dll|string with spaces|exact match?"
> MFT-fileoper.exe -d e -fx -f "c:\folder\temp.dll|snbclog.exe"
> MFT-fileoper.exe -d e -c "33:128-1|5623:128-4"
Some changes to the program and some bugs fixed.
https://github.com/ignacioj/mftf
The options now are:
Options:
-d drive_letter............................Search/copy files from this logical unit.
-h........................................This help.
-f "string1[|string2 with spaces|string3?...]".....Find file/directory/ADS names with any of the strings.
-f "d:\folder\string" .....The path will limit the results to the subfolders.
The match is always case insensitive.
" as delimiters for the whole group of strings.
| is the boundary between strings.
? al the end of the string specifies an exact coincidence.
-ff file.txt....................The strings to search for are in file.txt.
One string per line, no separator, use ? as needed.
-fr string......................Find the string doing a raw search in the 1024 bytes of the MFT record.
It will report coincidences in the unallocated space of the MFT record.
-fads...........................Find all the ADSs in the logical unit.
>Can be used with any of the previous find options:
-fx..................................Save the results in a file in order to use the option -c.
-ft..................................Show the results in timeline format.
-i full_path_to_file/directory.......Show information about the path.
-i record_number.....................Show information of the MFT record.
-w record_number.....................Write on screen the 1024 bytes of the MFT record.
-c "reference1[|reference2...]"......Copy the file/s referenced to this folder.
| is the separator.
-c list.txt..........................Copy all the files referenced in the file list.txt.
Each line MUST start with: reference + [TAB].
-cr record_number....................Copy the 1024 bytes of the MFT record to this folder.
Examples:
> MFT-fileoper.exe -d e: -f "svchost|mvui.dll|string with spaces|exact match?"
> MFT-fileoper.exe -d e -fx -f "c:\folder\temp.dll|snbclog.exe"
> MFT-fileoper.exe -d e -c "33:128-1|5623:128-4"
13 Jan 2015
Another MFT parser and copy restricted files program
I've been working on a command line program that allows me to do quick searches directly accessing the MFT and copy files avoiding the limitations of the OS. There are already some programs that do it but:
- Some have ceased to be free.
- Some are very large in size and slow.
- I want to learn seriously the architecture of the MFT.
- I want to learn c#.
- Just for fun.
The method I have used to speed things up is to create a dictionary using the enumeration of the MFT with FSCTL_ENUM_USN_DATA and including the offset of the MFT records in it.
This process, in an old system with a partition of 400 Gb with 300k objects, takes 5 seconds on average. This initial process is necessary because the MFT is often fragmented and when I process an ATTRIBUTE_LIST I find references to MFT entries that have not yet been examined but to which access is required to extract names and dates from ATTRIBUTE_FILE_NAME.
Finally I have also added the option to copy files avoiding the restrictions of the OS, which is very convenient because you can copy restricted or protected files like MFT or UsnJrnl.
The methods used are obtained from KERNEL32.DLL library: GetVolumeInformationByHandleW, ReadFile, CreateFile, SetFilePointerEx, GetFileInformationByHandle, DeviceIoControl.
- Some have ceased to be free.
- Some are very large in size and slow.
- I want to learn seriously the architecture of the MFT.
- I want to learn c#.
- Just for fun.
The method I have used to speed things up is to create a dictionary using the enumeration of the MFT with FSCTL_ENUM_USN_DATA and including the offset of the MFT records in it.
This process, in an old system with a partition of 400 Gb with 300k objects, takes 5 seconds on average. This initial process is necessary because the MFT is often fragmented and when I process an ATTRIBUTE_LIST I find references to MFT entries that have not yet been examined but to which access is required to extract names and dates from ATTRIBUTE_FILE_NAME.
Finally I have also added the option to copy files avoiding the restrictions of the OS, which is very convenient because you can copy restricted or protected files like MFT or UsnJrnl.
The methods used are obtained from KERNEL32.DLL library: GetVolumeInformationByHandleW, ReadFile, CreateFile, SetFilePointerEx, GetFileInformationByHandle, DeviceIoControl.
24 Jan 2013
Red October malware
This is the first time that I use Regkeval on a PC infected with Red October malware. Those are the registry keys that enable persistence of the malware:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows [Load]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [DotNet32]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [ctfmon32rt]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [LgfxTray]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [shmservice]
An excerpt of the output:
| Registry values | ||||
|---|---|---|---|---|
| Key | Value | Data | Key_Timestamp | Remarks |
| HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load&&Run,load=""-Run="" | ||||
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows | Load | C:\Documents and Settings\john\Datos de programa\Microsoft\RtkN32Gdi.exe | 2013-01-24T11:07:29Z | ntuser_john.dat [Expected: [Val:]] |
| HKU\Software\Microsoft\Windows\CurrentVersion\Run\:::vk:::, | ||||
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE | C:\WINDOWS\system32\ctfmon.exe | 2012-11-14T11:43:12Z | ntuser_john.dat |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | DotNet32 | C:\Documents and Settings\john\Datos de programa\Microsoft\svchost.exe | 2012-11-14T11:43:12Z | ntuser_john.dat |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | ctfmon32rt | "C:\Documents and Settings\john\Datos de programa\Microsoft\ms32trayX.exe" | 2012-11-14T11:43:12Z | ntuser_john.dat |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | LgfxTray | "C:\Documents and Settings\john\Datos de programa\Microsoft\lgfxtray.exe" | 2012-11-14T11:43:12Z | ntuser_john.dat |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | shmservice | C:\Documents and Settings\john\Datos de programa\Microsoft\RtkN32Gdi.exe | 2012-11-14T11:43:12Z | ntuser_john.dat |
It's time to update the regkeval_val_malw_espec.tsv file with those new values:
RtkN32Gdi.exe RedOctober dos
Microsoft\svchost.exe RedOctober dos
ms32trayX.exe RedOctober dos
lgfxtray.exe RedOctober dos
11 Dec 2012
HTML output color codes sample.
This is an output sample of the tool with all the colors that the html output uses currently.
Maybe you can think that there are too much colors in the html output of Regkeval but you must keep in mind that there can be several thousand lines in the output to review.
The normal output will be full of green lines meaning that it matches exactly with the value that is expected to find so you can browse very quickly the document. Whenever the tool finds any mismatch with a value that is included in the file containing the expected values for the system, the regkeval_val_justif.tsv file, the line will be displayed as red text on white background and it will append to the time field the expected value as it appears in the regkeval_val_justif.tsv file.
When there is a match with any of the keywords contained in the regkeval_val_malw_espec.tsv file the entry is displayed as white on red background if it is classified as malware. But if it is classified as a special value then it will be displayed as blue on yellow background. The classification as malware or value of interest can be made by assigning to the corresponding keyword the string "dos" for malware or the string "cuatro" for values of interest in the regkeval_val_malw_espec.tsv file. In both cases the information included in the regkeval_val_malw_espec.tsv file will be appended to the time field in the output.
If there is no info about the value it is displayed as sunset color (http://en.wikipedia.org/wiki/Sunset_%28color%29 :-) ).
Finally the grey background color is used to display the beginning of the corresponding search path output and the blue background color is used to indicate the beginning of a ntuser.dat file analysis.
| Registry values | |||
|---|---|---|---|
| Key | Value | Data | Key_Timestamp |
| HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\:::*:::\Default, | |||
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\igfxcui | Default | {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} | 2007-12-13T21:59:58Z |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} | Default | GraphicsShellExt Class | 2007-12-13T21:59:58Z |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\InProcServer32 | Default | C:\WINDOWS\system32\igfxpph.dll | 2007-12-13T21:59:58Z |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\ProgID | Default | igfxpph.GraphicsShellExt.1 | 2007-12-13T21:59:58Z |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\New | Default | {D969A300-E7FF-11d0-A93B-00A0C90F2719} | 2007-12-13T22:04:28Z |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D969A300-E7FF-11d0-A93B-00A0C90F2719} | Default | Microsoft New Object Service | 2007-12-13T22:04:28Z [Expected value: New Menu Handler] |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D969A300-E7FF-11d0-A93B-00A0C90F2719}\InProcServer32 | Default | %SystemRoot%\system32\SHELL32.dll | 2007-12-13T22:04:28Z [Expected value: %SystemRoot%\system32\shell32.dll] |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters | ServiceDll | %SystemRoot%\System32\mswsock.dll | 2009-06-11T09:40:54Z [Match: %SystemRoot%\System32\mswsock.dll][Info: Microsoft Windows Sockets 2.0 Service Provider] |
| ntuser_john.dat | |||
| HKU\Software\Microsoft\Windows\CurrentVersion\Run\:::vk:::, | |||
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE | C:\WINDOWS\system32\ctfmon.exe | 2012-10-29T16:40:24Z |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | H/PC Connection Agent | "C:\ARCHIV~1\MI3AA1~1\wcescomm.exe" | 2012-10-29T16:40:24Z |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | AbGame | c:\Winis7\opera.exe | 2012-10-29T16:40:24Z [Match: Winis7\opera.exe][Info: W32.Winiga] |
Maybe you can think that there are too much colors in the html output of Regkeval but you must keep in mind that there can be several thousand lines in the output to review.
The normal output will be full of green lines meaning that it matches exactly with the value that is expected to find so you can browse very quickly the document. Whenever the tool finds any mismatch with a value that is included in the file containing the expected values for the system, the regkeval_val_justif.tsv file, the line will be displayed as red text on white background and it will append to the time field the expected value as it appears in the regkeval_val_justif.tsv file.
When there is a match with any of the keywords contained in the regkeval_val_malw_espec.tsv file the entry is displayed as white on red background if it is classified as malware. But if it is classified as a special value then it will be displayed as blue on yellow background. The classification as malware or value of interest can be made by assigning to the corresponding keyword the string "dos" for malware or the string "cuatro" for values of interest in the regkeval_val_malw_espec.tsv file. In both cases the information included in the regkeval_val_malw_espec.tsv file will be appended to the time field in the output.
If there is no info about the value it is displayed as sunset color (http://en.wikipedia.org/wiki/Sunset_%28color%29 :-) ).
Finally the grey background color is used to display the beginning of the corresponding search path output and the blue background color is used to indicate the beginning of a ntuser.dat file analysis.
23 Nov 2012
Update on keys and values.
After reading the Microsoft Malware Protection Center Threat Report: Rootkits I have included new keys that affect to HKLM.
Added: HKLM\System\ControlSet\Services\Tcpip\Parameters.
Values: DataBasePath and DhcpNameServer.
Reference: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Alureon
Added: All keys under HKLM\System\ControlSet\Services\Tcpip\Parameters\Interfaces.
Values: DhcpNameServer and NameServer.
Reference: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Alureon
After reviewing the keys that can be used by the malware to avoid the firewall:
Added: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile.
Value: EnableFirewall.
Added: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile.\AuthorizedApplications\List.
Values: All.
Added: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List.
Values: All.
Added: HKLM\System\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List.
Values: All.
New values included in the list of "justified":
Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile.
Value: EnableFirewall.
Data: 1.
Key: HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile.
Value: EnableFirewall.
Data: 1.
Malware strings added:
Strings: msqpdx and msliksur.
Reference: Win32/Alureon.
Strings: glaide32.sys and lzx32.sys.
Reference: Win32/Rustock.
Strings: runtime.sys and runtime2.sys.
Reference: Win32/Cutwail.
Added: HKLM\System\ControlSet\Services\Tcpip\Parameters.
Values: DataBasePath and DhcpNameServer.
Reference: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Alureon
Added: All keys under HKLM\System\ControlSet\Services\Tcpip\Parameters\Interfaces.
Values: DhcpNameServer and NameServer.
Reference: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Alureon
After reviewing the keys that can be used by the malware to avoid the firewall:
Added: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile.
Value: EnableFirewall.
Added: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile.\AuthorizedApplications\List.
Values: All.
Added: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List.
Values: All.
Added: HKLM\System\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List.
Values: All.
New values included in the list of "justified":
Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile.
Value: EnableFirewall.
Data: 1.
Key: HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile.
Value: EnableFirewall.
Data: 1.
Malware strings added:
Strings: msqpdx and msliksur.
Reference: Win32/Alureon.
Strings: glaide32.sys and lzx32.sys.
Reference: Win32/Rustock.
Strings: runtime.sys and runtime2.sys.
Reference: Win32/Cutwail.
16 Nov 2012
List of "safe" values.
I have been studying the values that remain unchanged over the time in a typical registry hive in order to populate the list of "safe" values to use with Regkeval.
When I reviewed the timestamps of the registry keys in Windows 7 and Windows XP I found basically the same behaviour but with a significant difference. In Windows 7 there are between 60 and 70 thousand keys that remain over the years with the date of the compilation, that is, 2009-07-14.
I guess that it must be the date of my localized version as it is said in the Wikipedia (http://en.wikipedia.org/wiki/Windows_7 ) :
Windows 7 RTM is build 7600.16385.090713-1255, which was compiled on July 13, 2009...
In Windows XP there are between 60 and 70 thousand keys that remain unchanged over the years but in this case the oldest timestamp is the moment of the installation.
There are few keys with new timestamp per month and the only big increase occurs when it is installed or updated the Microsoft Office suite. Then there is an increase of 30 to 40 thousand keys timestamped.
Of course that I can say this because then again they remain unchanged over the months.
What I have included in the list as trusted or safe values are all the values under this keys that remain unchanged from the initial installation. And furthermore I have considered in the last version of the tool that all the values in this list that don't match the expected value will be marked as suspicious.
In my experience I have around four hundred of this suspicious keys in the output but they are motivated by differences in version numbers. Because the expected value is showed in the column of the timestamp between square brackets It is very easy to discard this warnings.
All this said you can expect using the list provided a 33% of the output classified as "safe".
Now it is up to you to include more values to finally have a list that can save you time based on the configuration of your environment or simply by adding values of well known software installations.
And remember that this evaluation based only in the name of the values is intended to be only a very first impression of what might be happening in the system.
If you want give it a try: http://code.google.com/p/regkeval/
When I reviewed the timestamps of the registry keys in Windows 7 and Windows XP I found basically the same behaviour but with a significant difference. In Windows 7 there are between 60 and 70 thousand keys that remain over the years with the date of the compilation, that is, 2009-07-14.
I guess that it must be the date of my localized version as it is said in the Wikipedia (http://en.wikipedia.org/wiki/Windows_7 ) :
Windows 7 RTM is build 7600.16385.090713-1255, which was compiled on July 13, 2009...
In Windows XP there are between 60 and 70 thousand keys that remain unchanged over the years but in this case the oldest timestamp is the moment of the installation.
There are few keys with new timestamp per month and the only big increase occurs when it is installed or updated the Microsoft Office suite. Then there is an increase of 30 to 40 thousand keys timestamped.
Of course that I can say this because then again they remain unchanged over the months.
What I have included in the list as trusted or safe values are all the values under this keys that remain unchanged from the initial installation. And furthermore I have considered in the last version of the tool that all the values in this list that don't match the expected value will be marked as suspicious.
In my experience I have around four hundred of this suspicious keys in the output but they are motivated by differences in version numbers. Because the expected value is showed in the column of the timestamp between square brackets It is very easy to discard this warnings.
All this said you can expect using the list provided a 33% of the output classified as "safe".
Now it is up to you to include more values to finally have a list that can save you time based on the configuration of your environment or simply by adding values of well known software installations.
And remember that this evaluation based only in the name of the values is intended to be only a very first impression of what might be happening in the system.
If you want give it a try: http://code.google.com/p/regkeval/
13 Nov 2012
Regkeval output
There are now a total of 179 paths to registry values in the two files provided with the application. Every path can include from one to more than one hundred values because of the wildcards.
Those registry values are mainly autostart locations and because the program provides information of any CLSID obtained the total number of lines in the output can reach almost three thousand.
That is the reason to provide an html output with colors: red for malware, green for trusted values, yellow and blue for values of interest and gold for unknown values. The line in dark gray is the value of the filter:
When there is a match the matching value and the information included about the malware in the file is displayed in the column of the timestamp.
In the above example the value ServiceDll of the service Browser is marked as unknown because the known value included in the file is %SystemRoot%\System32\browser.dll.
In the next few days I will provide files with known values obtained from fresh installs of Windows XP and Windows 7.
http://code.google.com/p/regkeval/
Those registry values are mainly autostart locations and because the program provides information of any CLSID obtained the total number of lines in the output can reach almost three thousand.
That is the reason to provide an html output with colors: red for malware, green for trusted values, yellow and blue for values of interest and gold for unknown values. The line in dark gray is the value of the filter:
When there is a match the matching value and the information included about the malware in the file is displayed in the column of the timestamp.
In the above example the value ServiceDll of the service Browser is marked as unknown because the known value included in the file is %SystemRoot%\System32\browser.dll.
In the next few days I will provide files with known values obtained from fresh installs of Windows XP and Windows 7.
http://code.google.com/p/regkeval/
Regkeval published.
Finally I have published Regkeval. The tool is intended to facilitate the initial examination of computers by retrieving and classifying specific key values of the registry.
The aim is to help forensic analysts in the initial phase when reviewing the Windows registry by inspecting keys of interest, e.g. the registry keys and values involved in malware persistence, prior to start searching in deep with Regripper or any other tool of your choice.
The values are read from a list that can be customized using wildcards. When all the values have been read they are classified using two more lists. The first one contains those values that the investigator considers normal or pertaining to the system. The second one has values that are considered malware and values that are considered of special relevance.
The tool it's written in Perl and works on offline registry hives. The description included on the file says:
# Two arguments are required: full path to System and Software hives and full path to all users hives.
# e.g.: perl regkeval.pl d:\cases\C1\hives d:\cases\C1\hives\users
# perl regkeval.pl d:\cases\C2\allhives d:\cases\C2\allhives
#
# System, software and ntuser hives must contain those words in their own file names.
# The selection of the CurrentControlSet is made reading the registry.
# In order to assist the analyst when reviewing the output the tool automatically retrieves this
# information of any CLSID contained in the data of a value:
# InprocHandler32,InprocServer32,LocalServer32,ProgID - Default values
#
# The output consist of three files:
# Raw output: all registry values retrieved.
# Revised output: like the raw output plus the calification of the data based on the information
# contained in "regkeval_val_malw_espec.tsv" and "regkeval_val_justif.tsv".
# HTML output: For easy inspection of results.
#
# The output is classified as:
# Cero - Known values.
# Uno - Unknown values.
# Dos - Malware values.
# Cuatro - Special values of interest.
#
# The classification is based on the values provided in the files "regkeval_val_justif.tsv" and
# "regkeval_val_malw_espec.tsv".
# All values in "regkeval_val_justif.tsv" are Cero class and the match must be exact to get it out.
# All values in "regkeval_val_malw_espec.tsv" have their own classification and the match is based
# only in the value from the column "Indicator".
#
# List of possible filters for retrieving data from values in subkeys of the hive:
# :::vk::: - Retrieves all values and keys
# :::v::: - Retrieves all values
# :::*::: - Any key
# :::*any_word*::: - Filter keys containing "any_word"
# value1&&value2&&value3... - Filter values
# The filters must end with the value/s to retrieve.
#
#
# Files needed:
#
# regkeval_html.dat - Main part of the html output.
# regkeval_val_malw_espec.tsv - List of known malware values of interest.
# You must maintain the format when modifiying the content.
# regkeval_val_justif.tsv - List of known good values that can be discarded at this moment.
# You must maintain the format when modifiying the content.
# regkeval_HKLM.csv - List of HKLM of interest. You must maintain the format when modifiying the content.
# regkeval_HKU.csv - list of HKU values of interest. You must maintain the format when modifiying the content.
http://code.google.com/p/regkeval/
The aim is to help forensic analysts in the initial phase when reviewing the Windows registry by inspecting keys of interest, e.g. the registry keys and values involved in malware persistence, prior to start searching in deep with Regripper or any other tool of your choice.
The values are read from a list that can be customized using wildcards. When all the values have been read they are classified using two more lists. The first one contains those values that the investigator considers normal or pertaining to the system. The second one has values that are considered malware and values that are considered of special relevance.
The tool it's written in Perl and works on offline registry hives. The description included on the file says:
# Two arguments are required: full path to System and Software hives and full path to all users hives.
# e.g.: perl regkeval.pl d:\cases\C1\hives d:\cases\C1\hives\users
# perl regkeval.pl d:\cases\C2\allhives d:\cases\C2\allhives
#
# System, software and ntuser hives must contain those words in their own file names.
# The selection of the CurrentControlSet is made reading the registry.
# In order to assist the analyst when reviewing the output the tool automatically retrieves this
# information of any CLSID contained in the data of a value:
# InprocHandler32,InprocServer32,LocalServer32,ProgID - Default values
#
# The output consist of three files:
# Raw output: all registry values retrieved.
# Revised output: like the raw output plus the calification of the data based on the information
# contained in "regkeval_val_malw_espec.tsv" and "regkeval_val_justif.tsv".
# HTML output: For easy inspection of results.
#
# The output is classified as:
# Cero - Known values.
# Uno - Unknown values.
# Dos - Malware values.
# Cuatro - Special values of interest.
#
# The classification is based on the values provided in the files "regkeval_val_justif.tsv" and
# "regkeval_val_malw_espec.tsv".
# All values in "regkeval_val_justif.tsv" are Cero class and the match must be exact to get it out.
# All values in "regkeval_val_malw_espec.tsv" have their own classification and the match is based
# only in the value from the column "Indicator".
#
# List of possible filters for retrieving data from values in subkeys of the hive:
# :::vk::: - Retrieves all values and keys
# :::v::: - Retrieves all values
# :::*::: - Any key
# :::*any_word*::: - Filter keys containing "any_word"
# value1&&value2&&value3... - Filter values
# The filters must end with the value/s to retrieve.
#
#
# Files needed:
#
# regkeval_html.dat - Main part of the html output.
# regkeval_val_malw_espec.tsv - List of known malware values of interest.
# You must maintain the format when modifiying the content.
# regkeval_val_justif.tsv - List of known good values that can be discarded at this moment.
# You must maintain the format when modifiying the content.
# regkeval_HKLM.csv - List of HKLM of interest. You must maintain the format when modifiying the content.
# regkeval_HKU.csv - list of HKU values of interest. You must maintain the format when modifiying the content.
http://code.google.com/p/regkeval/
11 Nov 2012
Regkeval
He comenzado por fin la publicación de mi herramienta de busqueda y clasificación de claves y valores de archivos de registro offline. El nombre es Regkeval y la estoy subiendo a GoogleCode.
Me ha decidido a escribirla ya que no encontraba una herramienta que se adaptara a lo que quería totalmente. Hay muchas que hacen lo mismo y seguro que mejor pero ninguna me permitía definir las claves y valores a examinar, o bien no funcionaban sobre registros offline, o bien solo tenian GUI y no linea de comandos... para gustos los colores ¿no?
Creo que al ser abierta y facilmente configurable al gusto de cada uno puede ser util para alguien, y asi de paso contribuyo un poquito a la comunidad.
Me ha decidido a escribirla ya que no encontraba una herramienta que se adaptara a lo que quería totalmente. Hay muchas que hacen lo mismo y seguro que mejor pero ninguna me permitía definir las claves y valores a examinar, o bien no funcionaban sobre registros offline, o bien solo tenian GUI y no linea de comandos... para gustos los colores ¿no?
Creo que al ser abierta y facilmente configurable al gusto de cada uno puede ser util para alguien, y asi de paso contribuyo un poquito a la comunidad.
Subscribe to:
Posts (Atom)