U3 Incident Response Payload

[paradizelost]

Here's an updated piece of code that incorporates a lot of the info gathering ideas that were put forth.

The changes are as follows:

uses the START command to run many commands in parallel rather than all in series. This shortens the amount of time that this takes to run considerably, at a performance hit on the machines while running.

Creates a folder output\%computername% to put the files in, rather than cluttering up one output directory, useful if running on an entire network.

xcopy's the contents of %windir%\system32\drivers\etc

uses microsoft's print server migration tool from http://tinyurl.com/2ab4lz to save all printers, ports, and drivers from the system to a cab file. this can be restored later. Simply download the printmig.exe from MS and put in the U3ir Folder on the thumbdrive. NOTE: PRINTMIG.exe does not work on vista.

fixed the %WINDIR%\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs pointing to just %windir%\system32

used the dos TREE command to save an output of non-hidden, non-system files to a text file.

used the SET command and exported the entirety of system variables to a text file.

REM Set log file location

IF NOT EXIST %1\output (
        MD %1\output
        )
IF NOT EXIST %1\output\%computername% (
    MD %1\output\%computername%
    )
CD u3ir

REM enumerate local accounts and currently logged on users
net users >> %1\output\%computername%\localaccts-%computername%.txt
psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt

REM Grab network info, arp tables, open connections, and firewall status
START ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt
START ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt
START arp -a >> %1\output\%computername%\localnet-%computername%.txt
START netstat -ano >> %1\output\%computername%\localnet-%computername%.txt
START route print >> %1\output\%computername%\localnet-%computername%.txt
START type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt
START netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt
START netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt
START net use >> %1\output\%computername%\localnet-%computername%.txt
START gpresult >> %1\output\%computername%\%computername%_GPO.txt
START driverquery >> %1\output\%computername%\%computername%_drivers.txt
START netsh show alias >> %1\output\%computername%\%computername%_alias.txt
START netsh show helper >> %1\output\%computername%\%computername%_helper.txt
START systeminfo /FO LIST >> %1\output\%computername%\%computername%_systeminfo.txt
START tasklist /FO LIST >> %1\output\%computername%\%computername%_tasklist.txt
set >> %1\output\%computername%\%computername%_variables.txt
tree /F /A %systemdrive%\ >> %1\output\%computername%\%computername%_dirtree.txt
START printmig.exe -b %1\output\%computername%\%computername_printers.cab
MD %1\output\%computername%\etc
START xcopy /q /e %windir%\system32\drivers\etc %1\output\%computername%\etc
REM Grab a list of installed software and running processes
START psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt
START pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab state of all services on the machine
START sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab a list of the printers on the machine and properties
cscript  %WINDIR%\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt

REM Export the registry of the machine
REM HKEY_LOCAL_MACHINE
START reg export HKLM %1\output\%computername%\hklm-%computername%.reg
REM HKEY_CURRENT_USER
START reg export HKCU %1\output\%computername%\hkcu-%computername%.reg
REM HKEY_CLASSES_ROOT
START reg export HKCR %1\output\%computername%\hkcr-%computername%.reg
REM HKEY_USERS
START reg export HKU %1\output\%computername%\hku-%computername%.reg
REM HKEY_CURRENT_CONFIG
START reg export HKCC %1\output\%computername%\hkcc-%computername%.reg

REM calculate MD5 hashes of the system directory
START md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt
START md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt
START md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt

Let me know if you see any issues.

[Matessim]

Can you complie the code to a Zip? would make things more organized ;)

[paradizelost]

The issue there is that some of the software would require redistribution licenses. and a .bat file is easy enough to copy/paste

[Tcstool]

Things need to be kept in a batch file for making changes on the fly and to keep things simple. In addition, before adding the printer script , I checked SEVERAL machines and prnmngr.vbs lived in C:\windows\system32, not the path you have in the script. I'm also not sure about running all tasks in parallel like that. I agree that it improves the performance of the script, but also makes it much harder to see if any errors occur while it's running; Nothing in there really takes very long to run, and trying to dumpe the registry keys or calculate the MD5 hashes in parallel really beats up the machine pretty badly. I'm also not sure about the value of using the print migration tool for restoring printers. This is strictly an information gathering and first responder tool in the event of an incident, and I don't think you gain more value than just dumping the printer information itself.

I do however like the change you made to the output and some of the commands you added. Good job. I'm about to post a new version of the script that incorporates some of it.

[Tcstool]

So here's the latest version of what I have. I've incorporated a lot of the changes suggested. Everyone had great ideas!!! Some of them were redundant of other information that was already being collected, so I selected the solution that I felt had the most valuable or clearest output. Keep those ideas coming!

REM Set log file location

IF NOT EXIST %1\output (
        MD %1\output
        )
IF NOT EXIST %1\output\%computername% (
    MD %1\output\%computername%
    )
CD u3ir

REM enumerate local accounts and currently logged on users
net users >> %1\output\%computername%\localaccts-%computername%.txt
psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt

REM Grab network info, arp tables, open connections, and firewall status
ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt
ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt
arp -a >> %1\output\%computername%\localnet-%computername%.txt
netstat -ano >> %1\output\%computername%\localnet-%computername%.txt
route print >> %1\output\%computername%\localnet-%computername%.txt
type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt
net use >> %1\output\%computername%\localnet-%computername%.txt
gpresult >> %1\output\%computername%\%computername%_GPO.txt
driverquery >> %1\output\%computername%\%computername%_drivers.txt
set >> %1\output\%computername%\%computername%_variables.txt
tree /F /A %systemdrive%\ >> %1\output\%computername%\%computername%_dirtree.txt
REM Grab a list of installed software and running processes
psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt
pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab state of all services on the machine
sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab a list of the printers on the machine and properties
cscript  %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt

REM Export the registry of the machine
REM HKEY_LOCAL_MACHINE
reg export HKLM %1\output\%computername%\hklm-%computername%.reg
REM HKEY_CURRENT_USER
reg export HKCU %1\output\%computername%\hkcu-%computername%.reg
REM HKEY_CLASSES_ROOT
reg export HKCR %1\output\%computername%\hkcr-%computername%.reg
REM HKEY_USERS
reg export HKU %1\output\%computername%\hku-%computername%.reg
REM HKEY_CURRENT_CONFIG
reg export HKCC %1\output\%computername%\hkcc-%computername%.reg

REM calculate MD5 hashes of the system directory
md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt

[subop]

Looks good man. I have a few suggestions though. What about collecting the data in the order of volatility? Also it's generally a good idea to include the start and end time with date /t and time /t.

Some other useful programs are:

autoruns

handles

promiscdetect

tasklist /svc

cmdline

eldump

NirSoft has a lot of other useful incident response tools. I like your IR kit, it has a lot of potential. Thanks for sharing your work. :)

[Darren Kitchen]

There has been a lot of development on this project so I thought it might be time to add it to the wiki.

http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade

Russell, you can use the Hak5 package hosting at http://www.hak5.org/packages/

Oh yeah, and I took the liberty of creating a logo, just cause I'm a photoshop fiend. Hope that's cool. :)

[Matessim]

well, can we somehow pack it together without the tolls? so we will have a folder which tools needs to be put in too, that would make it easy'er for newbies, just need to download the zip, extract, and download tools to folder.

btw, installed it on my USB, very nice

[paradizelost]

matessim again, the problem with that is we do not have redistribution rights to the 3rd party tools. one gets in a fair bit of legal trouble redistributing without permission. That's why you have to go download the tools yourself.

[Tcstool]

Looks good man. I have a few suggestions though. What about collecting the data in the order of volatility? Also it's generally a good idea to include the start and end time with date /t and time /t.

Some other useful programs are:

autoruns

handles

promiscdetect

tasklist /svc

cmdline

eldump

NirSoft has a lot of other useful incident response tools. I like your IR kit, it has a lot of potential. Thanks for sharing your work. :)

Yeah you're right. I had actually been meaning to put date/time stamps in but got a little overwhelmed with requests after the release of the interview and completely forgot about it. Good call. As far as volatility goes, my theory has always been that if you're skilled enough, it's just as easy to add a registry value as it is to create a user account or start a process on a machine. Really all of it is volatile; There's very little we're collecting here that can't be changed with a single command. I think run order is worth discussing further though. Right now everything is sort of grouped by general category the information falls under, which may not be the best way.

So let's think about these other tools and look for redudancies...any thoughts?

autoruns-Really this information can be gleaned from the registry exports...adding this would be a matter of convenience. I don't think it's that bad examining the .REG files, but if enough people think this would be more convenient I'll add it.

handles-I looked at this one but it has weird issues sometimes and the output isn't as clean, which is why I went with pslist instead.

promiscdetect-I played around with this one but it got blown up by a couple of enterprise AV programs so I left it out. It wouldn't be a bad idea to find something like this we can use though.

tasklist /svc-This information is already collected by pslist and the sc query command.

cmdline-More info please.

eldump-I'm on the fence about this one. I'm not sure if this is worth the extra overhead, because it's so much easier to review the event logs from the machine itself and they can also be easily accessed remotely, or if it's good to have it captured from an evidence perspective. Definitely worth discussing.

However, before we start adding a bunch of third party tools, paradizelost makes a good point:

matessim again, the problem with that is we do not have redistribution rights to the 3rd party tools. one gets in a fair bit of legal trouble redistributing without permission. That's why you have to go download the tools yourself.

I really would love to eliminate as many of the third party tools as possible and do as much with creative command line fu for this very reason. The only places in this where I did opt for third party tools is where the output they gave was much cleaner, or there was functionality that couldn't be accomplished using included tools with Windows. Does anyone know what the licensing for PSTools is? Pre-Microsoft buying them, it was total freeware and able to be redistributed. MD5sums is redistributable I think , based on the licensing info on their website. They seem like nice enough guys, I may shoot them an email. I have privately emailed out a few of the packages with the tools included, but before we do any kind of mass distribution, I want to pare this down to things that are totall redistributable, or do everything with Windows built in functionality (which could mean we need some clever people who can actually write code unlike me to clean up the output a bit!)

[paradizelost]

Most of the information gathered by the 3rd party tools is gathered via WMI i would guess. If there are some creative scripters out there, we could write our own WMI scripts to pull a lot of the information ourselves.

as far as the licensing goes, from the sysinternals website:

Q: May I distribute Sysinternals utilities in my software, on my website, or with my magazine?

A: No. We are not offering any distribution licenses, even if the 3rd party is distributing them for free. We encourage people to download the utilities from our download center where they can be assured to get the most recent version of the utility.

[paradizelost]

The other option may be, as this wouldn't TECHNICALLY be distribution:

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.

[mleo2003]

I'm sure that, if some problems arise with licensing, I'm sure some members of the forums would be willing to help you by making programs that emulate the features you want. I know I'd be willing to make a few free programs to help with this.

To everyone suggesting normal SwitchBlade things to add to this, keep in mind that this tool wasn't designed to steal anything from someone, but be a first response action in the event of an forensics investigation. The necessary information for this is very different than just a dump and go that we are used to. Just try to keep that in mind when suggesting things.

As for my suggestion, the Autoruns program would probably be a very good idea, as it would also go through the Startup folder for users and show what is listed there to startup, as well as the registry, and I can see both lists being needed in this kind of information. Also, as to the registry, there is a trick using the Shadow Copy service to get a copy of each actual hive, which would include hidden info that the regular export may not get. I have some information on it, if your interested. Only problem is it requires that service to be on to actually work, so it might be a good secondary measure if possible.

Just my recent thoughts on this.

[paradizelost]

that could be accomplished by doing a NET START VSS first, assuming you have admin rights on the machine you are running this on.

[paradizelost]

Also, with some of the info like pslist, it could be accomplished by using some of the command line options available with tasklist, i.e. if you pay attention to the options on the /FO switch.

[DingleBerries]

Also, with some of the info like pslist, it could be accomplished by using some of the command line options available with tasklist, i.e. if you pay attention to the options on the /FO switch.

isnt tasklist only available in XP pro?

[paradizelost]

i would imagine that in most cases where this is intended for use, would be business environments, that most likely will be running pro, however i have no home machines to test on.

[Tcstool]

that is correct, tasklist is only available with XP Pro. The main reason I prefer pslist is that it has a nice tree view showing which processes spawned which subprocesses. I just find the output to be cleaner.

Autoruns is a pretty good idea, but can it run silently from the command line? I haven't played with it much. I prefer that over trying to use the VSS service and shadow copy registry components. That would seem to me to be a more in depth investigation tactic then what we're going for here.

[paradizelost]

Let me throw this possibility at you. One issue with running any of these tools from within a running windows installation is that it some of the rootkits and etc... can prevent you from seeing the files that it has modified or installed. This is however not possible if you boot to the thumb drive and run the utilities from a USB Live environment. One could create a modified BART environment or Ubuntu environment etc... to back up the necessary registry .DAT files and do a check on the system, etc... without any active windows processes. This would allow one to get a more complete and more accurate configuration, however some of the utilities would need to be figured out how to run to get the info from a non-running system.

[DingleBerries]

Moonlit posted a really good windows PE, maybe work with that, or barts PE. Maybe dump the MBR as well, Ive seen rootkits that write them selfs there as well.. So far though this is great.

[mleo2003]

that is correct, tasklist is only available with XP Pro. The main reason I prefer pslist is that it has a nice tree view showing which processes spawned which subprocesses. I just find the output to be cleaner.

Autoruns is a pretty good idea, but can it run silently from the command line? I haven't played with it much. I prefer that over trying to use the VSS service and shadow copy registry components. That would seem to me to be a more in depth investigation tactic then what we're going for here.

I'm not sure about Autoruns either. Looking on their website, there are options for the program to save output to files, as CSV and XML, so that might be an option.

As to the VSS, it is a little more in-depth than the normal dump, but it would record hidden data, as well as preserve time stamps that those hives might contain. It might be a good follow up technique, but this tool is designed to be a first response in a forensics investigation.

I'd say the MBR dump, and bootable environment were also secondary techniques, not to be done right off the bat. As for a good environment to use, instead of making one, try the Helix project, it was designed to do a lot of this on its own.

[Tcstool]

MLeo2003 and I are on the same page. Since some of our goal is to capture behavior on the machine as it is happening, a live boot environment doesn't help us much. Plus, Helix is already much better at that than anything we could come up with ;) Remember, we're going for grabbing information for analysis to help us make our remediation decisions; We don't have to go too deep down the rabbit hole to get started with that.

[Tcstool]

Another slightly modified version:

• Consolidated some of the output to generate fewer files to sort through
• Added date and time stamps to the start and end of each output file generated

Adding to wiki as version 1.51.

REM Set log file location

IF NOT EXIST %1\output (
        MD %1\output
        )
IF NOT EXIST %1\output\%computername% (
    MD %1\output\%computername%
    )
CD u3ir

REM enumerate local accounts and currently logged on users
echo %date% %time%  >> %1\output\%computername%\localaccts-%computername%.txt
net users >> %1\output\%computername%\localaccts-%computername%.txt
psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\localaccts-%computername%.txt

REM Grab network info, arp tables, open connections, and firewall status
echo %date% %time%  >> %1\output\%computername%\localnet-%computername%.txt
ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt
ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt
arp -a >> %1\output\%computername%\localnet-%computername%.txt
netstat -ano >> %1\output\%computername%\localnet-%computername%.txt
route print >> %1\output\%computername%\localnet-%computername%.txt
type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt
net use >> %1\output\%computername%\localnet-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\localnet-%computername%.txt

REM Grab a list of installed software and running processes
echo %date% %time%  >> %1\output\%computername%\sysinfo-%computername%.txt
psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt
pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab state of all services on the machine
sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab a list of the printers on the machine and properties
cscript  %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab group policies applied to the machine
gpresult >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab drivers in use on the machine
driverquery >> %1\output\%computername%\sysinfo-%computername%.txt
REM grab system variables
set >> %1\output\%computername%\sysinfo-%computername%.txt
REM Get entire file system structure
tree /F /A %systemdrive%\ >> %1\output\%computername%\sysinfo-%computerame%.txt
echo %date% %time%  >> %1\output\%computername%\sysinfo-%computername%.txt

REM Export the registry of the machine
REM HKEY_LOCAL_MACHINE
reg export HKLM %1\output\%computername%\hklm-%computername%.reg
REM HKEY_CURRENT_USER
reg export HKCU %1\output\%computername%\hkcu-%computername%.reg
REM HKEY_CLASSES_ROOT
reg export HKCR %1\output\%computername%\hkcr-%computername%.reg
REM HKEY_USERS
reg export HKU %1\output\%computername%\hku-%computername%.reg
REM HKEY_CURRENT_CONFIG
reg export HKCC %1\output\%computername%\hkcc-%computername%.reg

REM calculate MD5 hashes of the system directory
echo %date% %time%  >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\osmd5-%computername%.txt

[beakmyn]

Ok, so I decided to run the tool on my own pc. It took several minutes and I ended up with 200MB of information. Hmm, a bit large.

I saw the issue with redistributing 3rd party tools one solution which I've been adapting is the here:

http://episteme.arstechnica.com/eve/forums.../m/429006588831

It will download the tools on the fly when run. So, we could instruct folks to run the "setup" batch file before creating their iso

Otherwise I can do all this with WMI and vbs scripting like I said before, but I know your trying to stay away from that since you don't want have to work around an overzealous sysadmin whose blocked vbs files, but the initial autorun is vbs ;)

So, I can do formatting of the batch file output in batch but it's very painful.

Although it's not as easy we could compile the .vbs to exe but from what I've found in the past some programs just wrap the vbs in a exe.

[jdogherman]

So is there any way to export the Machine S/N make and model?