tag:blogger.com,1999:blog-2367348689242633827.post191961615548217522..comments2016-05-02T15:08:27.948-07:00Comments on My Random Thoughts on InfoSec: Solution to Jack Crook's Memory Analysis ChallengeUnknownnoreply@blogger.comBlogger10125tag:blogger.com,1999:blog-2367348689242633827.post-74231202540151580422016-05-01T23:49:51.307-07:002016-05-01T23:49:51.307-07:00Nice writeup. I know I'm several months late o...Nice writeup. I know I'm several months late on this, but I just ran across Jack's Tweet today and decided to give it a shot.<br /><br />I eventually got stuck while trying to find 12.bat in memory. I kept trying to find it using the 'handles' volatility plugin, but seemingly nothing had a handle to the bat file open at the time the memory image was taken. I completely forgot about the filescan plugin...<br /><br />Like you, initially I was unable to find out how the at job was scheduled - eventually I found the following HTTP request while sifting through memory strings. As you correctly assumed, it was accomplished through the web shell:<br /><br />---------------<br /><br />POST /webfiles/ HTTP/1.1<br />Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*<br />Referer: http://192.168.56.30:8080/webfiles/<br />Accept-Language: en-us<br />User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)<br />Content-Type: application/x-www-form-urlencoded<br />Accept-Encoding: gzip, deflate<br />Host: 192.168.56.30:8080<br />Content-Length: 94<br />Connection: Keep-Alive<br />Cache-Control: no-cache<br />Cookie: JSESSIONID=D4BB0A17D08FE321DF87835231D79824<br /><br />text=%0D%0A&dir=C%3A%5CWindows&command=at+18%3A25+c%3A%5Cwindows%5C12.bat&Submit=Launch&sort=1<br /><br />---------------<br /><br />...additionally I have written my own parser for .job files, and was able to yank the information below out of the job file itself. Disclaimer: I have yet to publicly release my parser, and it hasn't properly been tested yet. Specifically, I have a sneaking suspicion that my "Flags" field is incorrect. In any event, here it is:<br /><br />Product Version: Windows Vista<br />Job UUID: {486CBF7C-AABC-4E56-928F-6EB70574CCB}<br />Error Retry Count: 0<br />Error Retry Interval (minutes): 0<br />Idle Deadline (minutes): 60<br />Idle Wait (minutes): 10<br />Priority: NORMAL_PRIORITY_CLASS<br />Maximum Run Time (ms): 259200000<br />Status: SCHED_S_TASK_RUNNING<br />Flags: TASK_APPLICATION_NAME TASK_FLAG_DELETE_WHEN_DONE <br />Running Instance Count: 1<br />Application Name: c:\windows\12.bat<br />Parameters: None<br />Working Directory: <br />Author: SYSTEM<br />Comment: Created by NetScheduleJobAdd.<br />Trigger Type: ONCE<br />First Scheduled Date: 6-11-2015<br />First Scheduled Time: 18:25<br /><br />AdamAnonymoushttps://www.blogger.com/profile/08596001385841003317noreply@blogger.comtag:blogger.com,1999:blog-2367348689242633827.post-77144110588632012392015-12-14T18:57:10.251-08:002015-12-14T18:57:10.251-08:00Thanks for the write up! Great blog BTWThanks for the write up! Great blog BTWAnonymoushttps://www.blogger.com/profile/15316934436491462797noreply@blogger.comtag:blogger.com,1999:blog-2367348689242633827.post-43472212285257419572015-11-20T15:37:42.136-08:002015-11-20T15:37:42.136-08:00Hi, Darcy, thanks for your comments. I believe I u...Hi, Darcy, thanks for your comments. I believe I used Volatility's dumpfiles plugin to extract the EVTX logs after locating their offsets with the filescan plugin. Jamie Levy (@gleeda) from the Volatility team later told me the EVTXtract tool is good at parsing corrupted EVTX files, although I never went back to try it with this scenario. See https://github.com/williballenthin/EVTXtractMatthttps://www.blogger.com/profile/14862009107321138763noreply@blogger.comtag:blogger.com,1999:blog-2367348689242633827.post-41019060693882920452015-11-19T23:29:41.956-08:002015-11-19T23:29:41.956-08:00Great write up. What command or tool did you use t...Great write up. What command or tool did you use to get "evtx" logs from memory? Darcy Ahttps://www.blogger.com/profile/11490613896221101713noreply@blogger.comtag:blogger.com,1999:blog-2367348689242633827.post-57518085514093267842015-11-17T17:21:01.787-08:002015-11-17T17:21:01.787-08:00Nice, thanks for sharing that.Nice, thanks for sharing that.Matthttps://www.blogger.com/profile/14862009107321138763noreply@blogger.comtag:blogger.com,1999:blog-2367348689242633827.post-82470160049802683092015-11-16T18:42:37.854-08:002015-11-16T18:42:37.854-08:00Thanks. "Unknown" here again. I used th...Thanks. "Unknown" here again. I used the schtasks module from https://github.com/binglot/misc to track down 12.bat's execution cycle.<br />$ vol.py -f ../WIN-CEKM08E74HR-20150611-222930.raw --profile=VistaSP1x86 schtasks<br />Volatility Foundation Volatility Framework 2.5 <br />Offset(P) ScheduledDate MostRecentRunTime Application Author RunInstanceCount MaxRunTime ExitCode Comment<br />0x0c8f8ba8 2015-06-11 18:25:00.000 2015-06-11 18:25:00.028 c:\windows\12.bat SYSTEM 1 72:00:00.0 0x00000000 Created by NetScheduleJobAdd.<br />0x0c8f8cf0 2015-06-11 18:25:00.000 2015-06-11 18:25:00.028 c:\windows\12.bat SYSTEM 1 72:00:00.0 0x00000000 Created by NetScheduleJobAdd.<br />0x0ca2d5c0 2015-06-11 18:25:00.000 Not run yet c:\windows\12.bat SYSTEM 0 72:00:00.0 0x00000000 Created by NetScheduleJobAdd.<br />0x0ca2d6c8 2015-06-11 18:25:00.000 Not run yet c:\windows\12.bat SYSTEM 0 72:00:00.0 0x00000000 Created by NetScheduleJobAdd.<br />0x10332118 2015-06-11 18:25:00.000 2015-06-11 18:25:00.028 c:\windows\12.bat SYSTEM 1 72:00:00.0 0x00000000 Created by NetScheduleJobAdd.<br />0x10476000 2015-06-11 18:25:00.000 2015-06-11 18:25:00.028 c:\windows\12.bat SYSTEM 1 72:00:00.0 0x00000000 Created by NetScheduleJobAdd.<br />Unknownhttps://www.blogger.com/profile/15530517144143887171noreply@blogger.comtag:blogger.com,1999:blog-2367348689242633827.post-40086532291128237232015-11-16T15:40:12.785-08:002015-11-16T15:40:12.785-08:00Good question, "Unknown". The GET/POST r...Good question, "Unknown". The GET/POST requests found in strings are web server logs showing 58.64.141.245 as the source IP address of the connections. The same IP was the only IP shown as a foreign connection in the Volatility netscan output. Additionally, the timestamps of the connections from that IP line up with file system activity from the MFT. If I remember correctly, I found the strings of the web server logs by grepping for the IP address after finding the IP via netscan.Matthttps://www.blogger.com/profile/14862009107321138763noreply@blogger.comtag:blogger.com,1999:blog-2367348689242633827.post-12137826768891720872015-11-16T15:24:36.411-08:002015-11-16T15:24:36.411-08:00How do you directly correlate the attacker's I...How do you directly correlate the attacker's IP with detailed GET/POST found randomly throughout the vol strings module output? Are you just pivoting against the commands used as the URI to make that link?Unknownhttps://www.blogger.com/profile/15530517144143887171noreply@blogger.comtag:blogger.com,1999:blog-2367348689242633827.post-12969261895187059762015-11-09T14:47:26.620-08:002015-11-09T14:47:26.620-08:00I appreciate the feedback, David. The ShimCacheMem...I appreciate the feedback, David. The ShimCacheMem plugin hadn't been published yet when I originally did this write-up, and I never went back to try it. It's nice to see it worked in this situation - additional confirmation never hurts!Matthttps://www.blogger.com/profile/14862009107321138763noreply@blogger.comtag:blogger.com,1999:blog-2367348689242633827.post-39418385911776250822015-11-09T07:44:30.864-08:002015-11-09T07:44:30.864-08:00Thanks for the awesome walkthrough Matt.
I just w...Thanks for the awesome walkthrough Matt.<br /><br />I just wanted to let you know also that the new shimcachemem plugin was able to identify the bg.jpg file, the fact that it executed, and the files that executed before and after it. The standard shimcahce plugin wasn't able to detect this evidence.<br /><br />Not sure how much value it adds in this case since we already knew about the file and it had a process so it was executing, but it may be useful in the future.<br /><br />https://github.com/fireeye/Volatility-Plugins/tree/master/shimcachememAnonymoushttps://www.blogger.com/profile/09543818303330178455noreply@blogger.com