Author: Doug Metz

Baker Street Forensics joins the Fediverse

Social

Just about a year ago I switched my default social platform of choice to Mastodon and created an account at Infosec.Exchange. If you’d like to follow me there directly, here is my profile.

What’s the Fediverse?

In short, it’s a network of networks, without a central control, using open standards to communicate.

Baker Street Forensics joins the Feds 😉

Recently I learned that WordPress.com blogs can now be followed on Mastodon and other federated platforms.

By using the plug-in, blog owners have the potential to reach more followers as they’ll be able to share their posts to other platforms and, in turn, receive replies from those platforms that are transformed into blog comments.

TechCrunch.com

If you’re on Mastodon and/or the Fediverse, please give a follow to “bakerstreetforensics.com@bakerstreetforensics.com“.

If it works, you my faithful readers are the beta-testers, you should be able to see future posts by following this account. Additionally, comments via Mastodon should be visible here.

What do you think about this functionality? How are you consuming or engaging with content in the Fediverse?

Creating YARA files with Python

DFIR, Malware, Python, yara

When I’m researching a piece of malware, I’ll have a notepad open (usually VS Code), where I’m capturing strings that might be useful for a detection rule. When I have a good set of indicators, the next step is to turn them into a YARA rule.

It’s easy enough to create a YARA file by hand. My objective was to streamline the boring stuff like formatting and generating a string identifier ($s1 = “stringOne”) for each string. Normally PowerShell is my goto, but this week I’m branching out and wanted to work on my Python coding.

The code relies on you having a file called strings.txt. One string per line.

When you run the script it will prompt for (metadata):

  • rule name
  • author
  • description
  • hash

It then takes the contents of strings.txt and combines those with the metadata to produce a cleanly formatted YARA rule.

Caveats:

If the strings have special characters that need to be escaped, you may need to tweak the strings in the rule after it’s created.

The script will define the condition “any of them”. If you prefer to have all strings required, you can change line 22 from

yara_rule += '\t\tany of them\n}\n'

to

yara_rule += '\t\tall of them\n}\n'

CreateYARA.py

def get_user_input():
    rule_name = input("Enter the rule name: ")
    author = input("Enter the author: ")
    description = input("Enter the description: ")
    hash_value = input("Enter the hash value: ")
    return rule_name, author, description, hash_value

def create_yara_rule(rule_name, author, description, hash_value, strings_file):
    yara_rule = f'''rule {rule_name} {{
    meta:
    \tauthor = "{author}"
    \tdescription = "{description}"
    \thash = "{hash_value}"

    strings:
    '''
    with open(strings_file, 'r') as file:
        for id, line in enumerate(file, start=1):
            yara_rule += f'\t$s{id} = "{line.strip()}"\n\t'
    yara_rule += '\n'
    yara_rule += '\tcondition:\n'
    yara_rule += '\t\tany of them\n}\n'

    return yara_rule

def main():
    rule_name, author, description, hash_value = get_user_input()
    strings_file = 'strings.txt'  

    yara_rule = create_yara_rule(rule_name, author, description, hash_value, strings_file)
    print("Generated YARA rule:")
    print(yara_rule)
    
    yar_filename = f'{rule_name}.yar'
    with open(yar_filename, 'w') as yar_file:
        yar_file.write(yara_rule)

    print(f"YARA rule saved to {yar_filename}")

if __name__ == "__main__":
    main()
Sample strings.txt file used as input for the YARA rule
Running CreateYARA.py
YARA rule created from Python script, viewed in VS Code.

Magnet RESPONSE PowerShell

DFIR, Forensic Imaging, PowerShell, Presentations, RAM

I’m excited to share with you a new script I’ve written, Magnet RESPONSE PowerShell.

Magnet RESPONSE is a free tool from Magnet Forensics that makes it easy for investigators as well as non-technical operators to collect triage collections quickly and consistently.

Released initially as a GUI tool for law-enforcement investigators, it’s a single executable that requires no installation. The available command line syntax also makes it very flexible for enterprise use.

So what do I do when there’s a command line interface available, I PowerShell the hell out of it.

If you’ve been following my CyberPipe project, you’ll definitely want to check this one out.

MagnetRESPONSEPowerShell.ps1

Functions:
  • 💻 Capture specified triage artifacts using profiles with Magnet RESPONSE,
  • 🐏 Capture a memory image with DumpIt for Windows or Magnet RAM Capture,
  • 💾 Save all artifacts, output, and audit logs to network drive.
  • 🪟 Supports x86, x64 and ARM64 versions of Windows
Prerequisites:
  • Magnet RESPONSE
  • Web server where you can host MagnetRESPONSE.zip that’s accessible to endpoints.
  • File server repository to save the file collections to.

Please note this is not a Magnet supported product. This script is open source. If you have comments, updates, or suggestions – please do so here or on GitHub via discussion or pull request.

There are two areas of the script for you to customize.

  • The Variable Setup contains the case identification, file server and web server locations.
  • The second section, Collection Profiles, define which artifact groups you want to collect. You can see all the options available in the Magnet RESPONSE CLI Guide.

VARIABLE SETUP

$caseID = "demo-161" # no spaces

$outputpath = "\\Server\Share" # Update to reflect output destination.

$server = "192.168.4.187" # "192.168.1.10" resolves to http://192.168.1.10/MagnetRESPONSE.zip

COLLECTION PROFILES

Within the script we need to have at least one set of collection arguments defined. In this case I’ve built multiple profiles, which are simply un-commented to mark the profile as active. You only want to have one profile enabled at a time. You can design your own collection profiles using any of the available CLI options, just follow the format below.

#### Extended Process Capture

$profileName = "EXTENDED PROCESS CAPTURE"

$arguments = "/capturevolatile /captureextendedprocessinfo /saveprocfiles"

Execution

Once your environment and collection variables are defined, go ahead and run the script on your endpoints. Every host that executes the script will download RESPONSE from the web server, run the specified collection profile, and then save the output to the file server. All data defined in the collection profile will be collected and organized by case name, hostname and timestamp of collection in the central location. The returned files can be examined manually, using open source tools, or products like Magnet AXIOM Cyber.

If you’d like to learn more about the script, and how I integrated it with AXIOM Cyber and Magnet AUTOMATE, you can register for my webcast, Responding at Scale with Magnet RESPONSE. I hope to see you there.

You can download the script at https://github.com/MagnetForensics/Magnet-RESPONSE-PowerShell

Capturing malware evidence with detonaRE

DFIR, Malware, PowerShell, RAM

Lately I’ve been experimenting with a lot of varieties of different malware strains. Each time the malware executes, I have a process where I’ll initiate a packet capture, give the malware some time to spin up, and then execute an evidence capture while the malware is running. Then I’ll revert to a snapshot, make some modifications to the environment, and run the process again.

To make things easier on myself (and to help with late afternoon brain fog) I decided to script out the process with PowerShell.

detonaRE – from Latin, to detonate

  • initiates packet capture
  • launches malware sample
  • terminates packet capture after specified interval
  • initiates evidence collection with Magnet RESPONSE (memory, process, and triage capture)
  • converts collected .etl file (network capture) to .pcap with etl2pcapng.

## variable configuration:
$malwspath = “E:” ## malware source path
$malwdpath = “C:\Users\REM\Desktop\Malware\” ## malware destination path
$malware = “redline-76ca4a.exe” ## malware executable
$pcaptime = 180 ## duration in seconds for pcap capture
$toolsdir = “E:\Tools” ## MagnetRESPONSE.exe and etl2pcapng.exe

In my case I’ve got my malware file on the root of a USB device (E:) that will be attached to the VM. I want to copy the malware to the ‘Malware’ folder on the VM desktop. For this example the malware file is redline-76ca4a.exe. Any tools needed will be stored in E:\Tools.

I’m using the netsh command to capture any network traffic in .etl format. Later on, we’ll convert the .ett to .pcap. This is the same process I utilized in the QuickPcap PowerShell script.

Once the packet capture is running, the malware file gets detonated. The packet capture will continue running for the set duration, the default being 180 seconds or 3 minutes. It’s important not to terminate the packet capture too early. As you can see in the demonstration video below, once this particular malware sample is detonated, it sleeps for a bit and doesn’t show as active on the system until about 45 seconds into the capture.

Once the packet capture is completed, I’m running the command line version of Magnet RESPONSE. If you’re a fan of CyberPipe this is definitely one you’ll want to check out. Using Magnet RESPONSE I collect the memory (Comae DumpIt), pagefile, running processes (full process dumps) and triage system collection. Note, these artifacts can be scaled down by adjusting the Magnet RESPONSE CLI parameters.

Finally, when that’s all done, the .etl file gets converted to .pcap via etl2pcapng.exe. Then I transfer the collected files to my analysis machine and then the real fun begins.

update: (a day later) version 1.1 now also initiates Process Monitor with a filter applied for the malware to be detonated.

Github link for detonaRE

detonaRE v1.0
detonaRE.ps1 v1.1 now includes Process Monitor
detonaRE version 1.2 demo