Wednesday, December 5, 2018

Comparing Packet Captures to Procmon Traces Revisited

In my previous post, Comparing Packet Captures to Procmon Traces, I demonstrated how to match Procmon to pcap data. When I looked at this again, I noticed something peculiar. When Procmon's shows a length of 3760, everything gets thrown off.



Looking at the output from Procmon and TCPdump, everything matches up until we hit a length of 3760. So what is happening here? It turns out, if you want to match the packets up, one of them needs to be split.

So it turns out there is an exception to the rule. If the length equals 3760, we have to add the length of the next entry to it. The packets in TCPdump should add up to this combined number. Looking at the example, the third packet will be split between the two Procmon entries.

Friday, August 3, 2018

Windows 10 Notification WAL database

David Cowen recently wrote and article about revisiting the Windows 10 Notification database. From my observations, the database is in Write-Ahead Logging mode. The wpndatabase.db-wal file can contain deleted entries. I came up with a way to view the wal file.

I forked a python script (Walitean) because the endianness of the integers was wrong. With my forked version, you can convert the wal file into a sql database to view by doing the following:



Once the wal file is converted, you can run the following sql query to parse the database:

SELECT unknown0 AS Id, unknown1 AS HandlerId, unknown2 AS ActiveId, unknown3 AS Type, unknown4 AS Payload, unknown5 AS Tag, unknown6 AS 'Group',
 datetime((unknown7/10000000)-11644473600, 'unixepoch') AS ExpiryTime, datetime((unknown8/10000000)-11644473600, 'unixepoch') AS ArrivalTime ,
unknown9 AS DataVersion
FROM IIBTBUUIIU



My forked version of  Walitean can be found here:

https://github.com/Beercow/walitean

Wednesday, May 16, 2018

ProcDOT GeoIP plugin

Today I would like to introduce to you my first event handler plugin. The plugin is designed to run after you click on the refresh button in ProcDOT. You will need an Internet connection on first run because GeoIP needs to download the MindMax databases to get the location information on the IP address. The GeoIP information is then added to the details view on a server node.

Details view without GeoIP plugin

Details view with GeoIP plugin

There is a pretty interesting side effect that I happened to come across. The plugin also creates variables that you can call with other plugins.

Variables without plugin

Variables with plugin

Because of this discovery, I currently developing a clone of Christian's Server List plugin that includes the GeoIP information. 

GeoIP binaries can be found here for easy install.











Thursday, April 5, 2018

Remotely grab Symantec logs with Log Parser

Are you adding Symantec Endpoint Protection logs to your investigations? If not, there could be some information you are missing. These logs are located at C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs. Some of the logs contained in the folder path include:

AVMan.log - AV Management plugin log (contains copies of all AV events)
GUProxy.log - GUP plugin log (if you have a GUP enabled)
LUMan.log - SEP Client LiveUpdate plugin log
processlog.log - Application and Device Control log
rawlog.log - Firewall Packet log
seclog.log - Security log (IPS events mainly)
syslog.log - System log
tralog.log - Firewall Traffic log

Using Microsoft's Log Parser and Log Parser Studio, I created a couple of queries to parse these logs. And the best part is, you can query the logs on a remote system. The only thing left for you to do is export the results into your timeline. The library file for Log Parser Studio can be found here.

Enjoy!

AVMan.log









































Daily AV Logs:







































syslog.log:

























Thursday, March 1, 2018

Symantec Endpoint Protection VBN files

My goal originally, was to improve the way DeXRAYextracted files from Symantec Endpoint Protection (SEP) vbn quarantine files. I decided to dig a little deeper into the vbn format because it is not documented well. What I ended up finding out is that there is a lot of information contained inside vbn files. All vbn files are not created equal. Some contain the quarantined files, while others do not. It all depends on where they are in the quarantine folder structure. The vbn file structure has undergone two revisions, from what I can tell. Version 1 of the format was used up to SEP 11. Version 2 is used in SEP 12 and 14.

I would like to give a special thank you to @Hexacorn for getting me some older samples to work with.

The file format for version 1 can be found here. Version 2 here. There is still quit a bit that is unknown. If you find any mistakes or know what some of the structures are, please let me know and I will update them.

Quarantine File Folder Structure


Folder structure makes a difference in what is contained in the vbn file. SEP quarantine files are located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine. In the quarantine folder, there is a vbn file and a folder with the same name as the vbn file.


The vbn files and folders get their name from the Vbin Session ID/Record ID in hex format.

VBN V1


VBN V2

I have not dug into these vbn files too much yet. If we search for Vbin Session ID/Record ID, depending on version, we come across a series of values that start with 01 07 03. The first one, in green, is our folder name. The second one, in blue, is the name of the vbn file in the folder. This is the vbn that will contain the quarantined file.


VBN V1


VBN V2
The vbn files that contain the quarantined file get their name from the unix 32-bit time value (0x560 in v1, 0x7D0 in v2).

Log Line


Inside the vbn, there is a comma delimited list at 0x184. This list is the log line. It may not be clear at first but, there is a wealth of information in this list. We'll start by taking a look at version 1. Version 1 has the following fields:

Time,Event,Category,Logger,Computer,User,Virus,File,Wanted Action 1,Wanted Action 2,Real Action,Virus Type,Flags,Description,ScanID,New_Ext,Group ID,Event Data,VBin_ID,Virus ID,Quarantine Forward Status,Access,SND_Status,Compressed,Depth,Still Infected,Def Info,Def Sequence Number,Clean Info,Delete Info,Backup ID,Parent,GUID,Client Group,Address,Domain Name,NT Domain,MAC Address,Version,Remote Machine,Remote Machine IP,Action 1 Status,Action 2 Status,License Feature Name,License Feature Version,License Serial Number,License Fulfillment ID,License Start Date,License Expiration Date,License LifeCycle,License Seats Total,License Seats,Error Code,License Seats Delta,Status,Domain GUID,Log Session GUID,VBin Session ID,Login Domain,Event Data 2

Version 2 has the same fields as version 1 plus some extras:

Time,Event,Category,Logger,Computer,User,Virus,File,Wanted Action 1,Wanted Action 2,Real Action,Virus Type,Flags,Description,ScanID,New_Ext,Group ID,Event Data,VBin_ID,Virus ID,Quarantine Forward Status,Access,SND_Status,Compressed,Depth,Still Infected,Def Info,Def Sequence Number,Clean Info,Delete Info,Backup ID,Parent,GUID,Client Group,Address,Domain Name,NT Domain,MAC Address,Version,Remote Machine,Remote Machine IP,Action 1 Status,Action 2 Status,License Feature Name,License Feature Version,License Serial Number,License Fulfillment ID,License Start Date,License Expiration Date,License LifeCycle,License Seats Total,License Seats,Error Code,License Seats Delta,Status,Domain GUID,Log Session GUID,VBin Session ID,Login Domain,Event Data 2,Eraser Category ID,Dynamic Categoryset ID,Dynamic Subcategoryset ID,Display Name To Use,Reputation Disposition,Reputation Confidence,First Seen,Reputation Prevalence,Downloaded URL,Creator For Dropper,CIDS State,Behavior Risk Level,Detection Type,Acknowledge Text,VSIC State,Scan GUID,Scan Duration,Scan Start Time,TargetApp Type,Scan Command GUID

The information on how to decipher what the various fields mean can be found here. There was too much information to put into this article.

Decryption

Finding and decrypting the quarantined file in version1 is fairly straight forward. Grab the first four bytes from the beginning of the file. It is in little endian. In this example, the hex value translates to E5C. This is the offset to the quarantined file.


If we go to this offset, we will fined our quarantined file XORed with 5A.


Version 2 is a little trickier. We start off the same way, by grabbing the first four bytes of the file. Again, little endian.


Instead of finding the quarantined file, we find the Quarantine File Meda (QFM) Header XORed with 5A.


Once the XOR is removed, we can see some values in the QFM header. At offset 0x1298 is the size of the QFM Header. 0x12A0 is the QFM size and 0x12B8 is the total size of the QFM and the QFM Header.


If we take the value at 0x12A0 (897) and add it to 1290, we come up with another offset, 0x1B27 in this case. The structure of this section is as follows:

0x1B27(6951) = 0x03030000000A010852000000
    • 0x1B2E(6958) = 0x8 datatype representing unicode
    • 0x1B2F(6959) = Unicode string size
    • 0x1B33(6963) = Unicode hash SHA1
0x1B85(7045) = 0x030200000003020000000908000000
0x1B94(7060) = Original quarantined file size


Following the quarantine file size will either be 0x08 or 0x09. If it is 0x09, we have arrived at the quarantined file. If it is 0x08, the following optional section is present. 

0x1B9C(7068) = 0x08
    • 0x1B9D(7069) = Size of Security Descriptor string
    • 0x1BA1(7073) = Security Descriptor
    • 0x1C5B(7259) = Unknown
    • 0x1C60(7264) = 0x4
    • 0x1C61(7265) = Original quarantined file size
    • 0x1C69(7273) = 0x9



The quarantine file is broken up into chunks. The size of the chunks can be figured out by looking at the chunk dividers. The chunk dividers start with 0x09. The next four bytes after are the size of the chunk.






The chunk itself is XORed with A5. Continue to the next chunk divider, get the size and wash, rinse, repeat.


If there is anything you would like me to expand upon or explain better, let me know and I will add it.

Sources 

http://www.securitybraindump.com/2011/08/carving-symantec-vbn-files.html
http://dofir.net/post/81425257003/a-study-of-symantecs-vbn-file-format
http://www.hexacorn.com/blog/2012/09/21/dexray-decrypting-vbn-files-part-2/
https://support.symantec.com/en_US/article.TECH100099.html

Monday, August 21, 2017

USB forensics with Logparser Studio

Pictures are worth a thousand words. Enjoy!!!!

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR






























HKLM\SYSTEM\CurrentControlSet\Enum\USB






























HKLM\SYSTEM\MountedDevices

Thursday, August 17, 2017

Comparing Packet Captures to Procmon Traces

Trying to match Procmon entries to a packet capture can seem frustrating at first. There are two things that stand out to me in the Procmon entries:

1. The times are off ever so slightly compared to the packet capture
2. There is not an entry for every packet in Procmons output

We can solve this problem by looking at the times and lengths of the packets. To make things a little easier to read, I'll use the csv output from Procmon and use windump to filer the packets. The first thing I do is filter the Operation column so it contains tcp events.


And then I filter the Path column by the IP address I am trying to match.


The csv should look something like this:









Now that the Procmon csv is filtered, I can run Windump and filter on the IP in question. Piping the output to a file will make this easier. To do this, run the following command:

WinDump.exe -n -p -r malware.pcap host 103.24.1.54 > output.txt

The resulting file should look something like this:


The number in the parentheses is the length of the packet. Once we start matching the approximate times and the length of the packets, the picture becomes a lot clearer.


I hope this helps anyone trying to compare packet captures to Procmon output.