Friday, June 14, 2019

Introducing SEPparser

SEPparser was created because I could not find anything to parse Symantec's Endpoint Protection logs into a human readable form. I was fairly successful with MS Logparser but it couldn't parse all the logs correctly. It did not make sense to me to have to go into SEPMC to query logs when they were right on the endpoint. These logs  contain a wealth of untapped information that can be used during an investigation. I hope you find it useful.

SEPparser is a command line tool for parsing Symantec Endpoint Protection logs. You can either feed it a single file or an entire directory. This even works remotely. SEPparser will figure out what log it is and parse it correctly.

Symantec logs are in the following locations:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs
C:\Users\%user%\AppData\Local\Symantec\Symantec Endpoint Protection\Logs


SEPparser.py -h
usage: SEPparser.py [-h] [-f FILE] [-d DIR] [-o OUTPUT] [-a]

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  file to be parsed
  -d DIR, --dir DIR     directory to be parsed
  -o OUTPUT, --output OUTPUT
                        directory to output files to. Default is current
                        directory.
  -a, --append          append to output files.

By default, all csv files will be placed in the directory SEPparser is run from. You can also designate a folder to store them in with the -o option.

After running, the directory should look like this:
The csv files correspond to the logs you would find in the SEP gui on the endpoint. SEPparser also parses additional information out of the log that you would not see in the gui. The Symantec_Timeline.csv is the combined results of the daily AV logs and the AVMan.log. As an example, lets look at a risk entry in the SEP gui. This all the information you will get.
Lets see what additional information we ca get with SEPparser. SEPparser will give us information like company name, file size, file hash, product version, and product name.



We can also find the signing certificate information.



In addition to the log files, a packet.txt file is created. This file is a hex dump of all packets from the packet log and can be viewed with Wireshark.
In Wireshark go to File > Import from Hex Dump...















Select the paclet.txt file and click Import




















You can now view the packets and save them in a pcap if you choose





























Download
https://github.com/Beercow/SEPparser
https://github.com/Beercow/SEPparser/releases

Tuesday, April 2, 2019

Copying locked OST files

When trying to copy ost files that were in use I was running into the following error:

esentutl.exe /y /vss <file_to_copy> /d <file_to_save_as>

Operation terminated with error -1 (JET_wrnNyi, Function Not Yet Implemented) after 4.390 seconds.

The reason being, Windows VSS engine ignores Outlook's .OST files.














To work around this, the OutlookOST value must be deleted from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot.

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot /v OutlookOST /f

Once this is done, the file can be copied.

esentutl.exe /y /vss <file_to_copy> /d <file_to_save_as>

And then the value can be restored when the file is done being copied.


reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot /v OutlookOST /t REG_MULTI_SZ /d $UserProfile$\AppData\Local\Microsoft\Outlook\*.ost /f

Monday, April 1, 2019

All things Symantec

This post contains information on my research into Symantec logs and quarantine files. Content will be updated regularly.

Symantec Endpoint Protection Logs

Symantec Management Client (smc) does not show the entire contents of the log. smc.exe has an -exportlog commandline switch where you can select a log type to export.  Log_type numbers are as follows:
  • 0 = System Log
  • 1 = Security Log
  • 2 = Traffic Log
  • 3 = Packet Log
  • 4 = Control Log 
These numbers also correlate to an entry in the header of the logs found in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs.
  • 0 = syslog.log
  • 1 = seclog.log
  • 2 = tralog.log
  • 3 = rawlog.log
  • 4 = processlog.log

Log File Structure

Symantec Endpoint Protection VBN Files

Folder structure makes a difference in what is contained in the vbn file. SEP quarantine files are located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine. In the quarantine folder, there is a vbn file and a folder with the same name as the vbn file.


Wednesday, December 5, 2018

Comparing Packet Captures to Procmon Traces Revisited

In my previous post, Comparing Packet Captures to Procmon Traces, I demonstrated how to match Procmon to pcap data. When I looked at this again, I noticed something peculiar. When Procmon's shows a length of 3760, everything gets thrown off.



Looking at the output from Procmon and TCPdump, everything matches up until we hit a length of 3760. So what is happening here? It turns out, if you want to match the packets up, one of them needs to be split.

So it turns out there is an exception to the rule. If the length equals 3760, we have to add the length of the next entry to it. The packets in TCPdump should add up to this combined number. Looking at the example, the third packet will be split between the two Procmon entries.

Friday, August 3, 2018

Windows 10 Notification WAL database

David Cowen recently wrote and article about revisiting the Windows 10 Notification database. From my observations, the database is in Write-Ahead Logging mode. The wpndatabase.db-wal file can contain deleted entries. I came up with a way to view the wal file.

I forked a python script (Walitean) because the endianness of the integers was wrong. With my forked version, you can convert the wal file into a sql database to view by doing the following:



Once the wal file is converted, you can run the following sql query to parse the database:

SELECT unknown0 AS Id, unknown1 AS HandlerId, unknown2 AS ActiveId, unknown3 AS Type, unknown4 AS Payload, unknown5 AS Tag, unknown6 AS 'Group',
 datetime((unknown7/10000000)-11644473600, 'unixepoch') AS ExpiryTime, datetime((unknown8/10000000)-11644473600, 'unixepoch') AS ArrivalTime ,
unknown9 AS DataVersion
FROM IIBTBUUIIU



My forked version of  Walitean can be found here:

https://github.com/Beercow/walitean

Wednesday, May 16, 2018

ProcDOT GeoIP plugin

Today I would like to introduce to you my first event handler plugin. The plugin is designed to run after you click on the refresh button in ProcDOT. You will need an Internet connection on first run because GeoIP needs to download the MindMax databases to get the location information on the IP address. The GeoIP information is then added to the details view on a server node.

Details view without GeoIP plugin

Details view with GeoIP plugin

There is a pretty interesting side effect that I happened to come across. The plugin also creates variables that you can call with other plugins.

Variables without plugin

Variables with plugin

Because of this discovery, I currently developing a clone of Christian's Server List plugin that includes the GeoIP information. 

GeoIP binaries can be found here for easy install.











Thursday, April 5, 2018

Remotely grab Symantec logs with Log Parser

Are you adding Symantec Endpoint Protection logs to your investigations? If not, there could be some information you are missing. These logs are located at C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs. Some of the logs contained in the folder path include:

AVMan.log - AV Management plugin log (contains copies of all AV events)
GUProxy.log - GUP plugin log (if you have a GUP enabled)
LUMan.log - SEP Client LiveUpdate plugin log
processlog.log - Application and Device Control log
rawlog.log - Firewall Packet log
seclog.log - Security log (IPS events mainly)
syslog.log - System log
tralog.log - Firewall Traffic log

Using Microsoft's Log Parser and Log Parser Studio, I created a couple of queries to parse these logs. And the best part is, you can query the logs on a remote system. The only thing left for you to do is export the results into your timeline. The library file for Log Parser Studio can be found here.

Enjoy!

AVMan.log









































Daily AV Logs:







































syslog.log: