Friday, December 11, 2015

New RR Plugin: Identities.pl

This past week, I read an interesting FireEye blog post that discussed malware that targets the volume boot record.  As I read through the post, I got to step 4 ("Component Installation") for the malware, and the Registry values listed caught my eye.  I know...go figure, right?

The blog post states that a number of values are created within a specific hive file, and that these values refer to the various components of the malware itself.  As such, I looked at these values as a great way to determine if a system was infected, through either digital forensic analysis, or even active hunting within the enterprise.


The key path for the values listed in the blog post is "HKCU\.Default".  Hhhmmm...okay, so...where is that hive on the system?  As you can see in the figure to the right, taken via RegEdit on my Windows 10 system, the path should be listed as "HKU", which stands for "HKEY_USERS", rather than "HKCU", which stands for "HKEY_CURRENT_USER" (which would be me).  Regardless, we see the ".Default" key in the figure.  This MSDN blog post lets us know that it's not what we think...no, not at all. That is, this key is not for the "Default User", from which the new user profiles are created, but instead for the Local System account.

The RegRipper profilelist.pl plugin will show us the paths to the NTUSER.DAT hives for various accounts on the system, including not only the users but the other SIDs, as well:

Path      : %systemroot%\system32\config\systemprofile
SID       : S-1-5-18
LastWrite : Tue Jul 14 04:53:25 2009 (UTC)

Path      : C:\Windows\ServiceProfiles\LocalService
SID       : S-1-5-19
LastWrite : Thu Dec 30 20:51:42 2010 (UTC)

Path      : C:\Windows\ServiceProfiles\NetworkService
SID       : S-1-5-20
LastWrite : Thu Dec 30 20:51:42 2010 (UTC)

As such, you can extract the NTUSER.DAT file from any of these profiles, and run the identities.pl plugin (uploaded to the GitHub repository today) against it.

Addendum, 13 Dec: I added a plugin to the repository this morning called latentbot.pl that parses the persistence location for LatentBot (as reported by FireEye), and attempts to determine the plugins, as well.  YMMV...extremely limited test suite.

No comments: