Author: Doug Metz

Hunting for Indicators with PowerShell: New Files

DFIR, Malware, PowerShell

When analyzing the impact of malware execution on a system, it’s important to identify what additional files the malware has introduced to the system. Have other exe’s been dropped? Are there .vbs files being sprinkled around by the malware fairies?

What other file types would you be concerned with showing up on your systems?

Maybe it’s the inverse and it’s the file extension itself that’s the outlier and you need to identify all the .m41z files, as an example.

I wanted an easy way to identify new files on the system, and yet be flexible to incorporate different extensions and durations. As usual, a PowerShell script seemed the easiest way to address it.

There are 2 inputs, file extension, and duration. What are the kind of new files are you looking for and how far back do you want to look?

<#

GetNewFiles.ps1
@dwmetz, 19-july-2023
A simple script to find any new files on the file system for a specific filetype within x # of days

#>
Write-host " "
$script:filetype = Read-host -Prompt 'Enter the file type to look for (ex. txt, ps1, exe)'
$script:time = Read-host -Prompt 'How many days back do you want to look?'
$ErrorActionPreference = "SilentlyContinue"
Write-host " "
$NewFiles = Get-ChildItem -Path c:\ -Recurse  -Filter "*.$script:filetype" |
Where-Object { $_.CreationTime -gt (Get-Date).AddDays(-$script:time) }
"Number of $script:filetype files found: $($NewFiles.Count)"
$NewFiles | Select-Object Fullname,CreationTime

Running the script on a suspected infected asset, I can look for new files of interest and if need be work backwards for a larger time sampling.

In the example above, one of the executables bears looking into. The other is benign and related to software updates.

For the .ps1 results we see the script we’re running “GetNewFiles.ps1” as well as another hit for a script that was created on the system the day before.

NOTE: If a file is no longer there when you run the script, for example created and deleted during the malware operation, you won’t see it here as it’s no longer present on the system.

If you run the malware on multiple samples, can you see a commonality among the new files? Does it always drop ‘notAsafeFILE.exe‘ in the same path, or is there a randomization in the file naming and location? PowerShell can be a quick way to come to that answer and identify what other files require investigation.

Mal-Hash Updates

DFIR, Malware, PowerShell

Mal-Hash.ps1

  • The script takes the input of a file, calculates the hashes (MD5, SHA1, SHA256), and then submits the SHA256 hash to Virus Total* for analysis.
  • The script will also run Strings against the sample.
  • The script will check Malware Bazaar to see if a sample matching the hash is available.
  • The hashes, strings, Virus Total and Malware Bazaar results are both displayed on screen and saved to a text report.
  • Timestamp of the analysis is recorded in UTC.

VTHashSub.ps1

  • The script takes a hash value as input and submits the hash to Virus Total* for analysis.
  • The script will check Malware Bazaar to see if a sample matching the hash is available.
  • The hashes, Virus Total and Malware Bazaar results are both displayed on screen and saved to a text report.
  • Timestamp of the analysis is recorded in UTC.

Mal-Hash.ps1 and VTHashSub.ps1 will operate (via PowerShell) on Windows, Mac & Linux.

* Virus Total API key expected in vt-api.txt.

Latest updates:

  • n of x vendors detected
  • VT permalink
  • Malware Bazaar results

Both scripts available on my GitHub page:

https://github.com/dwmetz/Mal-Hash

Raspberry Pi Forensics Hacking Gadget

DFIR, DIY, Raspberry Pi, USB

Ever since the 2021 iPad models with USB-C chargers came out, I’ve been intrigued by the notion of Raspberry Pi gadgets. In short, these are Raspberry Pi devices that draw their power, and/or networking from the USB-C port on the iPad Pro.

Having awakened my tinkering spirit with the internet speed monitor project, I was looking for another project. I had one unused Raspberry Pi Zero W in a box of spare Pi parts, so that’s where I started.

I chose Kali for the distribution to use because there are images specific to various Raspberry Pi hardware models, and because the distribution itself supports many popular Linux tools for Forensics and Reverse Engineering. REMnux is my default Linux for malware poking, but to date it’s only supported on Intel architectures.

Know from the start you’re not going to be using this device for processing on the scale of Enron, but for access to a wider toolset when on the go, and especially for training I think it’s a pretty cool setup. If you’re looking to set up a mobile development environment, or still run Kali but with more oomf – there’s number of resources to do so using a Pi 4. Since the Pi Zero W is powered by a USB-micro, it cannot support networking (iPad to Pi) over the USB port. Later models like the Pi 4 (USB-C powered) are capable, but at the time of the project, all mine be were occupied. In this case we’ll be connecting to the Pi over WiFi via SSH.

Grab the image for Pi Zero W (or whatever’s applicable for the model you’re running from https://www.kali.org/get-kali/#kali-arm. There’s plenty of documentation on enabling SSH if it isn’t by default. On this particular build for the Pi, it was. You’ll also want to install tightvncserver.

Depending on which Pi hardware version you’re using, the Pi will have different capabilities. Notably lacking on the Pi Zero W, the resources to run any modern browser. But since I have the iPad that it’s running from it’s not like I’m missing it at all.

Kali supports the installation of what they call meta-packages. These are specific sets of tools or features to support different capabilities (Bluetooth hacking, wireless hacking, etc.) For my build I chose the reverse engineering and forensics packages as those are the tools I’m most interested in experimenting with.

I had a bit of trial and error when it came to the physical USB connections. Originally I had a series of USB-C connecting adapters, terminating with a USB-C to USB micro adapter. When I had this franken-jack plugged into the iPad the Pi wouldn’t power up. However if I had a USC-C cable connected to the jack, or between the jack and the iPad, I could get power (just with a cable I didn’t need.) At some point I had the idea of introducing a USB-A into the mix and voila, power to the Pi. All that said, the final hardware combo consisted of a USB-C (male) to USB-A (female) 180 degree adapter, and a USB-A (male) to USB-Micro (male) adapter.

The 180 degree adapter enables a very low profile while having a reasonable gap for ventilation, even when connected to a Magic Keyboard.

Plug the device into the USB-C port on the iPad a give it a minute or two to boot up.

For SSH on the iPad there’s no better than Blink.

I don’t have VNC running at boot to save on resources, but I have a script in my home directory to quickly turn it on when GUI access is needed.

For VNC I use Jump Desktop, and have a configuration saved for VNC tunneled over SSH.

Raspberry Pi Internet Speed Monitor

DIY, Python, Raspberry Pi, Steampunk

I was looking wistfully at the Lack Rack from my arm chair, admiring the (faux) copper conduit that covered the primary inbound internet link to the switch. I thought it would be cool looking to have an antique steam gauge attached to the piping. Two things caused that idea to quickly change – 1. the going prices for antique steam gauges right now, 2. once I was thinking about it as a gauge I thought an ‘internet speed gauge’ would be perfect. Alas, even if said gauge could be acquired without breaking the bank, converting MBPS to PSI and making it functional is above my level of engineering. So on to the next best thing – a Raspberry Pi hack.

Materials:

  • Raspberry Pi (3 or 4) with Raspbian 32-bit OS
  • Case with 3.5 in LCD Display
  • Copper spray paint 😉
  • Attention to detail at the command line

Speedtest CLI

Once you’ve got your Raspberry Pi up and running start with the Installing the Speedtest CLI instructions at https://pimylifeup.com/raspberry-pi-internet-speed-monitor/. Complete steps 1-6. When the article gets to Writing our Speed Test Python Script, you can skip that section. I do recommend it from a learning perspective, but the code from that step won’t be used in the final project.

Assuming this is a new installation, you will need to install InfluxDB and Grafana. Complete the respective instructions for each.

Continue with the primary article’s instructions for Using Grafana to Display your Speedtest Data.

If you’ve made it along this far, you should have a working Grafana dashboard displaying Upload Speed, Download Speed, and Ping (Latency). If you’re hitting a glitch – go back through what you’ve coded and double check that any references to the user (default = Pi) are accurate for the user on your device. You should be seeing updated data based on the frequency you specified in crontab -e.

Install Grafana Kiosk

Next, we want to set up our device as a kiosk, and have it boot and display the Network Speed dashboard automatically.

Install Grafana Kiosk from https://github.com/grafana/grafana-kiosk. For my installation I used the ARM v6 grafana-kiosk.linux.armv6 release.

Running the Dashboard on startup:

We’re going to use a yaml file to store our dashboard configuration:

Create a new file, config.yaml and populate it as such:

general:
  kiosk-mode: full
  autofit: true
  lxde: true
  lxde-home: /home/(user)
target:
  login-method: local
  username: admin
  password: (password)
  playlist: false
  URL: http://localhost:3000/d/bdf20d32-c4ff-4578-a3f4-7a38e1f722b9/network-speed?orgId=1
  ignore-certificate-errors: false

Be sure to substitute the proper ID wherever you see (user). The URL for the dashboard can be copied from the web interface of the dashboard.

Edit /home/(user)/.config/lxsession/LXDE-pi/autostart

Add a line: (one line, may show as wrapped)

@/usr/bin/grafana-kiosk -lxde-home /home/(user) -c /home/(user)/config.yaml

Save & Exit.

Now when you reboot the Pi, the dashboard should come up full screen after login.