[The U3 Incident Response Payload is Back!]

Should be working now. Power was out at the house. Also mirrors should all be updated. I have some more revisions coming that were submitted in the last couple of days.

[The U3 Incident Response Payload is Back!]

Guys,

After a 6-7 month hiatus, I FINALLY have gotten around to updating the U3 incident response tool. The latest build can be found here:

http://rnbserve.no-ip.com/u3ir.zip

Be sure to check the wiki to see all the latest changes here:

http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade

PM me with problems or questions or add notes to the sticky thread at the top.

[Episode 4x26]

Good show guys, lots of great content for those of us who couldn't attend. I think Darren is often at his best in con episode interviews; He does a great job getting the most from his guests in a short timeframe.

[U3 Incident Response Payload]

Has anyone tried to utilized the Firefox and IE History script? I have a PC that was infected and prior to blowing it out we extracted the IE history files and FF profiles I would like to use the script and statically point it to those files but its erroring out..

That script has been HEAVILY modified to fit the U3 switchblade. You will probably want to use the original source by cyber_flash found here:

http://www.codeproject.com/KB/vbscript/Int...plorer_Spy.aspx

[Episode 4x23]

Not 24 hours before this episode was released, I worked an incident response case on a server compromised by RDP in this EXACT scenario, then used to send out phishing emails...I'm now making Darren the #1 suspect! Be preared to be visited by the black vans and helicopters over the Hak House.

[[Merged] Microsoft Officially steals the Switchblade]

Yes. It's free....IF you work in law enforcement. I have a friend who works for the Sherriff's department here and acquired one...I'm not a fan. It is very difficult to tell what's happening as you're running your forensics, it takes a VERY VERY VERY VERY VERY long time to run, and it sends some information across the wire to Microsoft. I like my stuff better for investigations :D

[U3 Incident Response Payload]

Good thoughts. I'll mess around with autorunssc and InjectDLL and see if I can get them worked in. The goal is to have a totally automated tool, and while I agree it's not rocket science, it's not within the goals of what we're developing here. This is after all a first responder tool (see Hak5 PhreakNIC epside :-) ).

I will look into the volatility issue and see what we can do there.

[U3 Incident Response Payload]

Personally, I feel an incident response kit is incomplete without AutoRuns. It's extremely common for malware to want to auto run on boot, and AutoRuns enumerates a lot of different start up locations. It can even verify digital signatures, and hide programs that are verified to be from Microsoft making analysis much easier. I use something like autorunsc.exe -a -m -v. Also InjectedDLL from NirSoft can help in detecting stealthy malware that uses DLL injection.

I'm also still not sure its a good idea to not follow best practices by collecting data in the order of volatility. If it goes to court and you're asked why you didn't follow best practices like everyone else, I would think you'd need to have a really good reason.

Since you're collecting so much data, some of which isn't volatile, it would be nice if you could choose how intrusive you want to be before you run the software. One mode would collect just volatile data, and another collect some non volatile data such as Event Logs. It's also best practice now to collect an image of physical memory before you do anything. I think it would be nice to have an option for that as well, and maybe even the choice on whether to follow the order of volatility or not.

Overall I think this toolkit is really cool. Cheers!

Thanks for the feedback:

• It does check for autoruns in some places, like the Run and RunOnce keys in the registry. Myself and HarshReality have been working on a way to enumerate this without using 3rd party tools (we're trying to eliminate all of them to avoid redistribution issues), hence the hesitance to add additional ones. It might not be a bad idea for now though (If we're distributing one we might as well distribute 100 right?). However, the ones listed don't run silently and use a GUI.

• Order of data collection is on my personal list to work on; I was trying to round out the data we want collected first. I'd really like to get some feedback on what you think the best order would be. Definitely an easy fix and a nice addtion. Great thought!!!
• The original concept behind the tool was to be completely non-interactive, so any user could run it at a remote site or whatever. This is why there are no options presented. Something simple like that might not be a bad addition though. It may be we need to fork off this project into another branch for IR professionals vs. this one geared for remote users and system admins.

All in all, really good thoughts. we'll definitely work some of this stuff in.

[Hacking Hackers]

I tend to think a honeypot approach would be the best solution.

http://www.securityfocus.com/infocus/1659

Absolutely. Check out Honeywall for a great free, easy to install honeypot:

https://projects.honeynet.org/honeywall/

Just make sure to keep this in a DMZ or separate Internet connection to keep it TOTALLY off your home network.

[Dump Windows Hash's (No Boot, Limited User)]

install cain and able it can get the hash's for the local system

That would work. You could also use FGDump to dump the local system hashes into a text file if her computer doesn't have the resources to do hardcore password cracking.

[Episode 4x16]

Booo Mizzou. They hate my college cuz were Missouri State University, and they are University of Missouri. MSU Bears FTMFW

Missouri has entirely too many colleges, especially ones with confusing names. Southeast Missouri, Southwest Missouri (which became Missouri state right?) St. Louis, Washington University in St. Louis, Missouri...Craziness!

[U3 Incident Response Payload]

I agree that in forensic works, the last you want to see is nothing, there's no sense in hidding the cmd box. This payload was made by Tcstool originaly in forensis works, I agree it can be used for other purposes as grabbing sensible info from a pc, but...

I saw the white papper an the info looks great! You can extract not only the serial number of all attached USB, but the last date it was connected and more... For forensic matters I think is a great implementation. If you want some help in this, I'll be ready on trying to do my best with it.

I had a chance to review the white paper as well...This is great stuff, and will be really easy to add!!!! I will definitely make this a feature. Thanks for the suggestion!

[U3 Incident Response Payload]

Here's your addition for the security logs if its of interest..

cscript %WINDIR%\System32\eventquery.vbs /r -10 /fo LIST /l security >> %1\output\%computername%\syslog-%computername%.txt

You know I had this tested and sorted out to add. I was on the brink of adding security log dumps but man the security logs on windows machines get SO MESSY!

[USB U3 drives?]

I'm surprised you guys are having problems finding them. They're more than plentiful down here in Tennessee at any Wal-Mart or Staple's.

[U3 Incident Response Payload]

Not being rude, but no:

• You seem to be the only one having a problem with the drive error, so I see no need to rework the entire thing
• It is important to see the command window so you can see the status of your evidence collection

[U3 Incident Response Payload]

Thanks to some snow and a day off work, version 1.7 is now posted to the wiki:

http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade

Only the slow link is up to date as of right now so download from there.

Changes in this version:

• Capture of the Firefox and IE history files for all users on the machine
• Capture of the Application and System error event log items (Thanks HarshReality!)
• Added labels to each section of output (Because I've added so much stuff when I used htis on a job site the other day I couldn't remember what was what!)

Enjoy,and throw me feedback out there. HarshReality, still waiting on that HTML output! ;)

[Episode 4x14]

I think there's some humorous irony in the fact that you named a cat after an authentication protocol that was named after a three headed dog that guards the entrance to Hades!

[U3 Incident Response Payload]

What do you think about grabbing the cookies and internet history this way you can try to figure out if a user got infected by going to a certain site?

That's not a bad idea. I have a nice VBScript for this, but it occasionally will hang up on certain systems, so I'm working the kinks out.

[U3 Incident Response Payload]

I'm thinking we may be able to pull it off with pushd and popd...I've gotta get more research done into this but I'm hoping to put up a revised version on Sunday. Stay tuned.

[U3 Incident Response Payload]

I cant do a direct dump using dir but find it can be done with multiple command lines..

cd %ALLUSERSPROFILE%\Start Menu
dir * >> %1\output\%computername%\allusersstart-%computername%.txt

Course this is most likely not the preferred way but it does get the results done making use of an environment variable and like the rest of your script is using only command line.

That would work but we have to do it last. If we cd out of the execution directory it's going to kill off the rest of the script because the rest of the tools won't be in path anymore.

[U3 Incident Response Payload]

Are you using a built in windows command for this or a Systernal tool? Maybe DiskCat can do it, or some other third party tool?

Just using the windows dir command

[U3 Incident Response Payload]

Checks

- Recycle Bin of each profile

- Verify anti-virus logs for e.g. trojans received through e-mail

- Use PestPatrol to find known backdoor software on the system

- Verify the service pack level to assess known vulnerabilities (CSDVersion key in the registry)

- Check the registry to obtain SIDs for those systems to which the current user has logged on. Users will only have the SID of a remote domain in their Profile list if they have successfully logged onto the domain in the past.

CMD commands

- rasusers – obtain all users connected through RAS.

- net start – obtain a list of all running services

- at – verify scheduled jobs with, especially for listening shells scheduled to start at certain times

- netstat -anp – verify listening processes

- fport – verify which processes have listening sockets open

- listDLLs – show command line arguments for each process running

Registry & File Name Dumps

1. Autoruns(Silent Runners: VBS script that dumps the autoruns/Vista compatible/possible alternative)

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

2. Installed software(LINK for a vbs that does this)http://www.appdeploy.com/tips/detail.asp?id=128

- HKCU & HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

3. Dump file list of Startup folder

Other Dumps

- Boot.ini and MBR

- Event log

- Page file for later analysis (win386.swp/pagefile.sys)

I feel the need to respond to this in a more specific manner, to clarify what's alredy included so the discussion doesn't get pointed in the wrong direction. Also, bear in mind this is not an attack tool, but a tool for responding to potential attacks and penetration:

- Recycle Bin of each profile Can do, will be included in next release

- Verify anti-virus logs for e.g. trojans received through e-mail Too specific to each AV vendor to do in an automated fashion

- Use PestPatrol to find known backdoor software on the system This is more of a remediation than investigation app

- Verify the service pack level to assess known vulnerabilities (CSDVersion key in the registry) Already documented with PSInfo

- Check the registry to obtain SIDs for those systems to which the current user has logged on. Users will only have the SID of a remote domain in their Profile list if they have successfully logged onto the domain in the past.

Not always accurate, questionable value

- rasusers – obtain all users connected through RAS Only applies to servers, maybe we need to build a separate version of this for servers?

- net start – obtain a list of all running services Already enumerated with tasklist /svc and sc query commands

- at – verify scheduled jobs with, especially for listening shells scheduled to start at certain times This is a good idea, going into the next release

- netstat -anp – verify listening processes Already enumerated with netstat -ano

- fport – Already enumerated with netstat -ano

- listDLLs – show command line arguments for each process running I don't see that it shows command line arguments, but that's useful stuff nonetheless. Will be included in next version until we can figure out a way to do away with Sysinternals tools.

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Does not exist on XP?

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run Already done

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Already done

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesDoes not exist on XP?

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceDoes not exist on XP?

Installed software(LINK for a vbs that does this)http://www.appdeploy.com/tips/detail.asp?id=128 Already enumerated by PSinfo

- HKCU & HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall This takes a while to dump and can be quite large

3. Dump file list of Startup folder Having issue running this from the U3 context

- Boot.ini and MBR Better done with something like Helix

- Event log Coming in next release

- Page file for later analysis (win386.swp/pagefile.sys) WAY too big!

All good thoughts, will definitely use some of this.

[U3 Incident Response Payload]

Got a sample? I have.. 4 XP based terminals here at home running I could test on. The only permission issue I could see would be with autorun and execution but I could most likely be wrong.

It executes, just one line doesn't run. I think it was dir C:\Documents and Settings\All Users\Start Menu\Programs\Startup. Anyways it was trying to run a directory listing of a startup folder, and I could run myself (I have local admin rights on the machine), but when the script executed from the U3 context, I got access denied errors.

[U3 Incident Response Payload]

Many of the things DingleBerries suggested are lready included, so definitely make sure to check the latest version. The issue with checking AV logs is the log file paths vary between AV vendors and this needs to be as vendor neutral as possible. Some things I have been working on myself, but I have a weird issue happening...I can run the command from the command line myself, but when it is executed from the U3 image, there are permissions issues.

[U3 Incident Response Payload]

So, what else can I pack into this sucker before I redo it to output in HTML format

**Fishing for suggestions

HAHA...Hey if you do just the HTML output that would be great. I can handle adding other features, but would love to see what you come up with for HTML output! I think the toolset is pretty solid right now, let's work on that.