Jump to content

U3 Incident Response Payload


Tcstool
 Share

Recommended Posts

Ok, so I decided to run the tool on my own pc. It took several minutes and I ended up with 200MB of information. Hmm, a bit large.

I saw the issue with redistributing 3rd party tools one solution which I've been adapting is the here:

http://episteme.arstechnica.com/eve/forums.../m/429006588831

It will download the tools on the fly when run. So, we could instruct folks to run the "setup" batch file before creating their iso

Otherwise I can do all this with WMI and vbs scripting like I said before, but I know your trying to stay away from that since you don't want have to work around an overzealous sysadmin whose blocked vbs files, but the initial autorun is vbs ;)

So, I can do formatting of the batch file output in batch but it's very painful.

Although it's not as easy we could compile the .vbs to exe but from what I've found in the past some programs just wrap the vbs in a exe.

That's really odd. I have yet to wind up with more than 1 MB of information. Was the bulk of the output in the registry export?

Link to comment
Share on other sites

  • Replies 128
  • Created
  • Last Reply

Top Posters In This Topic

I too experienced a very large dump of information. I was testing it with a 32 MB jump drive, and it filled up fast. It was mainly the Registry Dump, HKLM if I remember correctly. I commented those out, and it finished everything else just fine.

VBS scripts wouldn't be too bad, and would allow us to format the output from them the way we needed.

Link to comment
Share on other sites

I too experienced a very large dump of information. I was testing it with a 32 MB jump drive, and it filled up fast. It was mainly the Registry Dump, HKLM if I remember correctly. I commented those out, and it finished everything else just fine.

VBS scripts wouldn't be too bad, and would allow us to format the output from them the way we needed.

Fair enough; The registry dumps and their value need to be re-examined. Let's discuss.

Well that brings up a question I've wondered...If we are using this in an investigation, or something where authorities potentially need to be involved, how much does altering the format of the data damage the integrity of your evidence? The only other concern I have with using VBScript is I've found that AV/antispyware programs are more picky about lauching VBScript then batch script.

Link to comment
Share on other sites

On my machine, the registry export was >200MB, i'm running vista. That is also what took the bulk of the time to run.

As far as a machine that may need to be turned over to the authorities, they'll generally take the hard drive and do their own analysis rather than trust what you tell them, also if it is a situation like that, you've already compromised the data if you modify the hard drive.

Also, i'm not terribly concerned with the size, officemax has 8GB drives available for $30 right now, so size really should be an issue other than for cheap admins... ;)

Link to comment
Share on other sites

Fair enough; The registry dumps and their value need to be re-examined. Let's discuss.

Well that brings up a question I've wondered...If we are using this in an investigation, or something where authorities potentially need to be involved, how much does altering the format of the data damage the integrity of your evidence? The only other concern I have with using VBScript is I've found that AV/antispyware programs are more picky about lauching VBScript then batch script.

@jdogherman

Yes, using vbscript I do it in my hacksaw

@tcstool

What are you looking for when you dump the registry? I would think you'd want the various autorun values as a start. Then go from there.

The directory list also took a fair amount of space on my sytems also.

Link to comment
Share on other sites

Well I figured some info out my using WMIC but my new issue is that this is basicly going to allow a user to register there system so it will be a program that they can run. But how can I get the data back. I was looking into hacksaw.

has anyone worked with this?

Thanks

Link to comment
Share on other sites

@paradizelost: I agree, I have an 8G stick that I'm using for file storage right now, I just haven't taken the time to run the new setup to get a custom ISO put on it currently. And what's wrong with being cheap? ;)

@TCStool: I was wondering that myself, not only from altering the format, but if a registry dump messed with the time stamps that police/others might want to see. That's one of the reasons I initially suggested copying the raw hive files, to keep all time stamps and formatting like they are originally. As to the actual format of the data, I'd say it wouldn't hurt, as long as they can still see all the data they need to see. Otherwise, when an investigator had to use a Linux tool to pull info from a Windows box, that'd change the format of the data, but it still works for their purposes.

As far as the rest of the tools, I can't see much problem with most of them, as they are all built into Windows, and just report data back without changing it. I'm not sure how the PS tools work, probably just WMI calls, so still mainly Windows built-in functionality, and those are even supported by Microsoft now. The only one that kind of might be a problem would be MD5Sums. Since it has to open each file to calculate the MD5 of them, that'll screw with time stamps on last accessed, but hopefully the last modified date and created dates will be of more value than that one.

Best thing to do, when doing this, is to document everything you do, in great detail. That way, if questions regarding your steps arise, you can always show your logs of what was done, when, and why.

Link to comment
Share on other sites

@paradizelost: I agree, I have an 8G stick that I'm using for file storage right now, I just haven't taken the time to run the new setup to get a custom ISO put on it currently. And what's wrong with being cheap? ;)

@TCStool: I was wondering that myself, not only from altering the format, but if a registry dump messed with the time stamps that police/others might want to see. That's one of the reasons I initially suggested copying the raw hive files, to keep all time stamps and formatting like they are originally. As to the actual format of the data, I'd say it wouldn't hurt, as long as they can still see all the data they need to see. Otherwise, when an investigator had to use a Linux tool to pull info from a Windows box, that'd change the format of the data, but it still works for their purposes.

As far as the rest of the tools, I can't see much problem with most of them, as they are all built into Windows, and just report data back without changing it. I'm not sure how the PS tools work, probably just WMI calls, so still mainly Windows built-in functionality, and those are even supported by Microsoft now. The only one that kind of might be a problem would be MD5Sums. Since it has to open each file to calculate the MD5 of them, that'll screw with time stamps on last accessed, but hopefully the last modified date and created dates will be of more value than that one.

Best thing to do, when doing this, is to document everything you do, in great detail. That way, if questions regarding your steps arise, you can always show your logs of what was done, when, and why.

Hey I"m not going to bash ANYONE for being cheap, given I did my PhreakNIC presentation of this from a 1 GB U3 drive!

I think that copying the raw hive files isn't a bad idea. The only thing I'm leery of is having to manipulate the machine too much to accomplish this (i.e. by having to start services etc.) WMI makes me nervous too; Working for several MSPs I've seen way too many issues with DCOM permissions, WMI permissions, services being disabled etc. I don't think pstools is utilizing WMI, but I want to check and be sure.

I was dumping the entire registry with the thought of it being possible to import them to a VM later for analysis. But that may be stepping outside the lines of incident response and more along the lines of malware and code analysis. Probably paring this down to the autorun keys etc. would be sufficient, if nobody has any objections.

The file tree structure I've only tested on Vista, and it was quite fast. Not sure about an XP box or a larger hard drive so we need to do some more benchmarking on this.

mleo2003 makes a good point about md5sums. Perhaps this needs to be implemented with a prompt before it runs, offering the user the chance NOT to run it and mess with the time/date stamps.

Link to comment
Share on other sites

I am sure anyone can answer this question but I tried configuring my 1 GB scandisk U3 device to run this payload but I am unable too. I plug the device in run the universal_customizer unplug plugback in and nothing. I even make sure that the gpolicy is setup to not disable autoplay on all devices.

Thanks in advance,

Link to comment
Share on other sites

Hey all sorry for the lack of updates and versions. I'm working on testing some of the latest ideas you guys have, but unfortunately the stuff I have to do to pay my bills (i.e. work) has taken over the better portion of my time lately. I'll have a new version out by the weekend hopefully. Thanks for being patient!

Link to comment
Share on other sites

Hey all sorry for the lack of updates and versions. I'm working on testing some of the latest ideas you guys have, but unfortunately the stuff I have to do to pay my bills (i.e. work) has taken over the better portion of my time lately. I'll have a new version out by the weekend hopefully. Thanks for being patient!

Sweet, I seem to have lost track of this thread myself.. I rather like beakmyn's idea about on the fly downloads the only question would be where it stores them pre-run and if removed completely on post run.. if 'yadda.exe' isnt present download and run it if internet connection is present else command line fu. In terms of the registry I agree first run and run are typically where the spy/malware hide to reinstall themselves so for efficiency it would be required rather than a complete dump.

Since your doing the command line.. how would we do a list of restore points on the machine?

AND, since your point of externl observation was brought up earlier.. might want to consider exporting your error logs (if applicable). see ref: http://articles.techrepublic.com.com/5100-...11-5786621.html but rather than scan the whole of the logs for "warning" or "error" from the beginning of time perhaps limit the backtrace to 2 weeks since its a first response tool.

**That will be a stupid question on my part no doubt. I have GOT to stop editing this thread! Now.. I wonde if I can trick this out like Beaker did and have it in a folder with HTML output to link to the files for easier review... Damn.. not coming back here for a week

Link to comment
Share on other sites

I am sure anyone can answer this question but I tried configuring my 1 GB scandisk U3 device to run this payload but I am unable too. I plug the device in run the universal_customizer unplug plugback in and nothing. I even make sure that the gpolicy is setup to not disable autoplay on all devices.

Thanks in advance,

Anyone care to tell me how the went about setting up there usb drive? Also can I use a none U3 drive like PNY or would my sandisk work?

Link to comment
Share on other sites

Guys,

I have version 1.6 of the payload posted below. Wiki page ()http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade) has also been updated accordingly.

Revisions:

  • Added list of all the groups on the system
  • Added list of user accounts that are members of the administrators group
  • Added a randomly generated number as a signature to the bottom of each output file
  • Added enumeration of which services are running out of which process
  • No longer exports the entire registry into .REG files; Instread uses STDOUT To enumerate HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,RUNONCE and same values under HKCU into the sysinfo output file
  • Removed file tree enumeration to speed things up
  • Renamed go.bat and go.vbs to forensicsstart.bat and forensicsstart.vbs to prevent AV issues.

As far as some of the other ideas proposed...As far as downloading the tools on the fly, I feel this is providing too much insight for an attacker into our investigation...If an attacker is on a machine watching the network traffic, he gets too much of an opportunity to see what we're downloading and can start covering his tracks. A process quickly running and dying gives a much smaller window of opportunity for the integrity of our investigation to be compromised. I haven't found a good way of listing restore points from the command prompt yet but really want to get this going. Likewise for event logs...I can do it, but the formatting is sloppy right now. Working on it though and hopefully will be able to incorporate this stuff in the next version.

REM Set log file location

IF NOT EXIST %1\output (
        MD %1\output
        )
IF NOT EXIST %1\output\%computername% (
    MD %1\output\%computername%
    )
CD u3ir

REM enumerate local accounts, local groups, currently logged on users, and members of the administrators group
echo %date% %time%  >> %1\output\%computername%\localaccts-%computername%.txt
net users >> %1\output\%computername%\localaccts-%computername%.txt
psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt
net localgroup >> %1\output\%computername%\localaccts-%computername%.txt
net localgroup administrators >> %1\output\%computername%\localaccts-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\localaccts-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\localaccts-%computername%.txt

REM Grab network info, arp tables, open connections, and firewall status
echo %date% %time%  >> %1\output\%computername%\localnet-%computername%.txt
ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt
ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt
arp -a >> %1\output\%computername%\localnet-%computername%.txt
netstat -ano >> %1\output\%computername%\localnet-%computername%.txt
route print >> %1\output\%computername%\localnet-%computername%.txt
type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt
net use >> %1\output\%computername%\localnet-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\localnet-%computername%.txt
echo FILE SIGNATURE  %random%%random%%random% >> %1\output\%computername%\localnet-%computername%.txt

REM Grab a list of installed software and running processes
echo %date% %time%  >> %1\output\%computername%\sysinfo-%computername%.txt
psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt
pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt
REM Enumerate services running out of each process
tasklist /svc >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab state of all services on the machine
sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab a list of the printers on the machine and properties
cscript  %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab group policies applied to the machine
gpresult >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab drivers in use on the machine
driverquery >> %1\output\%computername%\sysinfo-%computername%.txt
REM grab system variables
set >> %1\output\%computername%\sysinfo-%computername%.txt
REM Export the Run and RunOnce Values inside HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\sysinfo-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\sysinfo-%computername%.txt

REM calculate MD5 hashes of the system directory
echo %date% %time%  >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\osmd5-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\osmd5-%computername%.txt

Link to comment
Share on other sites

Umm. the wiki download still shows reference to the "go" files in both the archive as well as the ISO..

Yeah sorry about that...I don't have control over that server and I don't think he got the new version uploaded until a couple of minutes ago!

EDIT: Verified it's OK now

Link to comment
Share on other sites

Here are a few light weight apps I think might be useful

RegShot, If all the machines are installed exactly the same way, i.e same reg settings, then this can be used to check if any of them have been changed, autorun. Problem, well like many have mentioned in this topic, these Registry's can become huge and cumbersome.

Test Run, provides an inert registry while testing apps. Cant think of a use as of yet, however still interesting. *Maybe the systernal tools write to the registry, this could? prevent that?*

Uptime, only 6k and it will tell you the uptime of the computer. Warning, page take years to load.

Just some things i found and thought interesting

Link to comment
Share on other sites

I can see the new layout however after running I have a few questions:

Should the new layout only output four files?

1-localaccts

2-osmd5

3-sysinfo

4-localnet

Also I was unable to find any of the registry queries in the sysinfo file.

Yes, only 4 output files (for now).

Hm...I see now that the registry queries are generating "access denied" errors! However, as the user, I can run them from the command line. We need to determine the context U3 is executing under. I'll work on that.

EDIT: Thank you very much, awesome Windows security. It seems from the context the VBScript runs in, I can't query the registry key values, but I can export them and look at them. You can download the amended version 1.6.1 from the link on the wiki (not for sure when it will be posted to the mirror) , or simply modify the code as follows:

inside forensicsstart.bat, replace this:

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt

With:

reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Run %1\output\%computername%\HKLMrun.reg
reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce %1\output\%computername%\HKLMrunonce.reg
reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Run %1\output\%computername%\HKCUrun.reg
reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce %1\output\%computername%\HKCUrunonce.reg

Link to comment
Share on other sites

Added my suggestion above to export 'Error' from System logging. (Note /V is detailed description). Didnt see a point in doing Warnings as Im mainly concerned with issues that dont function.

REM Grab Sytem Error Log for Review (Error ONLY)
cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L System >> %1\output\%computername%\syslog-%computername%.txt
REM Grab Application Error Logs for Review
cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L Application >> %1\output\%computername%\syslog-%computername%.txt

Link to comment
Share on other sites

The other option may be, as this wouldn't TECHNICALLY be distribution:

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.

Ok that is so cool, is there a way to do this with my own tools without exposing the RPC service?

Link to comment
Share on other sites

Added my suggestion above to export 'Error' from System logging. (Note /V is detailed description). Didnt see a point in doing Warnings as Im mainly concerned with issues that dont function.

REM Grab Sytem Error Log for Review (Error ONLY)
cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L System &gt;&gt; %1\output\%computername%\syslog-%computername%.txt
REM Grab Application Error Logs for Review
cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L Application &gt;&gt; %1\output\%computername%\syslog-%computername%.txt

Hey that's not half bad! Definitely going in the next release!

Link to comment
Share on other sites

So when i plug it into a computer, it'll run automatically, right?

Edit: just tested, anyway to fix no drive error because of the multimedia drives? also, anyway to hide the cmd cause it's showing

Yes, should run automatically on an XP/2000 machine. I'm not sure what you're referring to with the no drive error. The cmd could be hidden, but if I'm conducting an investigation I would prefer to see what's being run and if anything errors out. This really isn't a tool designed to be stealthy.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...