Lately I’ve been experimenting with a lot of varieties of different malware strains. Each time the malware executes, I have a process where I’ll initiate a packet capture, give the malware some time to spin up, and then execute an evidence capture while the malware is running. Then I’ll revert to a snapshot, make some modifications to the environment, and run the process again.
To make things easier on myself (and to help with late afternoon brain fog) I decided to script out the process with PowerShell.
detonaRE – from Latin, to detonate
initiates packet capture
launches malware sample
terminates packet capture after specified interval
initiates evidence collection with Magnet RESPONSE (memory, process, and triage capture)
converts collected .etl file (network capture) to .pcap with etl2pcapng.
In my case I’ve got my malware file on the root of a USB device (E:) that will be attached to the VM. I want to copy the malware to the ‘Malware’ folder on the VM desktop. For this example the malware file is redline-76ca4a.exe. Any tools needed will be stored in E:\Tools.
I’m using the netsh command to capture any network traffic in .etl format. Later on, we’ll convert the .ett to .pcap. This is the same process I utilized in the QuickPcap PowerShell script.
Once the packet capture is running, the malware file gets detonated. The packet capture will continue running for the set duration, the default being 180 seconds or 3 minutes. It’s important not to terminate the packet capture too early. As you can see in the demonstration video below, once this particular malware sample is detonated, it sleeps for a bit and doesn’t show as active on the system until about 45 seconds into the capture.
Once the packet capture is completed, I’m running the command line version of Magnet RESPONSE. If you’re a fan of CyberPipe this is definitely one you’ll want to check out. Using Magnet RESPONSE I collect the memory (Comae DumpIt), pagefile, running processes (full process dumps) and triage system collection. Note, these artifacts can be scaled down by adjusting the Magnet RESPONSE CLI parameters.
Finally, when that’s all done, the .etl file gets converted to .pcap via etl2pcapng.exe. Then I transfer the collected files to my analysis machine and then the real fun begins.
update: (a day later) version 1.1 now also initiates Process Monitor with a filter applied for the malware to be detonated.
A couple weeks ago, a reader commented on the post Adding RAM collections to KAPE triage, “Couldn’t this be implemented by using linear processing with KAPE in batch mode?” and I couldn’t be more grateful for their inquiry.
When I was first introduced to KAPE, ‘batch mode’ didn’t exist yet as a feature. From the documentation:
“Batch mode works by placing one or more command lines (without the kape.exe part) into a file named _kape.cli. This file should contain one full command line on each line. This allows you to preconfigure KAPE to perform a given action (for example, collect certain files, zip them, then SFTP them to somewhere).”
Essentially it allows you to string together multiple KAPE jobs and run them together. This could be useful when you want to send the output of one command to a network share, and another to S3. I’m sure there are many other use cases, but I haven’t explored many as of yet.
KAPE has supported memory collection from its very early days. In fact I wrote the original DumpIt plugin for KAPE back in May ’19 (Pepperidge Farm Remembers). I later wrote the module for Magnet RAM Capture. Rounding out the triad is Winpmem which was added by another contributor around the same time (hours apart if I remember) as the DumpIt plugin.
At the time I thought I’d finally solved my Incident Responders ultimate dream of ‘give me RAM and a selective triage image – and give it to me quickly.’ While using any of the memory modules with KAPE, and an appropriate Targets selection for triage would yield both results, to me there was still a problem. The way KAPE operates it initiates the Targets operations (collections) and then the Modules (execution) operations. If I selected a triage image and included the memory collection module, the triage collection would run first and after would run the memory collection (module). While I was pretty giddy over having made what would be my first public contributions to DFIR software, I really wanted to grab the memory first and then do any other operations. The goal was to preserve as much volatile data as possible. It was out of that need to control the order of operations that led me to write CSIRT-Collect.
Via PowerShell, CSIRT-Collect would collect a RAM image first (evolving over the years experimenting with DumpIt, Magnet RAM Capture and Winpmen – and now back to DumpIt again) and then invoke KAPE to handle the triage collection. There were two versions of the code, mostly identical but adapted for use via network share or via USB drive. We used this script within my IR team for a few years before I shared it to GitHub where it’s continued to develop (and be the topic of numerous webcasts.)
ARM64 processors
DumpIt, which was recently added to the Magnet Forensics Free Tools site, supports x64, x86 and ARM processors on Windows. With CSIRT-Collect and KAPE, I was able to run the triage and RAM collections on my (regular suspects) Windows instances, as well as a Windows ARM virtual machine running on an M1 Mac. That introduced my next problem though, that there wasn’t a means within KAPE to detect ARM64 vs x64, just 32bit vs. 64bit. Since the architecture support wasn’t there, I whipped up a new KAPE module specific to the ARM version of DumpIt which has been added to the latest version of KAPE. Once you update KAPE, grab the ARM version of DumpIt, name it DumpIt_arm.exe, drop it in the /bin and you’re good to go. The latest version (4.0) of CSIRT-Collect queries the architecture and will direct KAPE to utilize the appropriate .exe for the architecture.
Back to batch mode
The first line of the _kape.cli had the (modules) arguments for DumpIt and Encrypted Disk Detector. The next line called the KAPE-Triage (targets) collection.
By default all the KAPE instances called by the _kape.cli will execute simultaneously. When I was first experimenting with it both the RAM collection and the triage collection would initiate at the same time. While this made for even faster collections on larger targets, there was still the issue of preserving the most volatile data. Back to the documentation, (it helps to read to the very last line… )
“Should you want to limit things to a single KAPE process running at once, adding --ul to one of the entries (it should be the first one in most cases) tells KAPE to wait for each instance of KAPE to exit before starting the next. When using this mode, you will only see one active instance of KAPE vs. multiple instances starting at once.”
Adding a –ul to the first KAPE argument ensured that the memory collection operations would take place first and only then when completed start the next phase of the triage collection.
Another bit about batch mode. When kape.exe executes and there is a _kape.cli in the root path it will use those arguments and then renames the file to $timestamp_kape.cli. So the next time KAPE executes from this directory, a _kape.cli will not be present. Since the intention of the script is to be reusable and repeatable without intrevention, I needed the _kape.cli to be persistent. I decided the solution was to have the script create the _kape.cli at runtime. This also allowed me to accommodate for the x64 vs ARM64 issue. If ARM is detected, the _kape.cli will be generated with the instructions for the ARM module. Otherwise the x64 module will be used.
Up until recently the script required specific folder configurations in place (collections folder, memory folder, KAPE, etc.) That’s been simplified now. Just sit CSIRT-Collect.ps1 next to your KAPE directory (whether on network or USB) and the script will take care of any folder creation necessary.
v4.0 Features:
– “One Script to Rule them All” – Admin permissions check before execution
– Memory acquisition will use Magnet DumpIt for Windows (previously used Magnet RAM Capture). – Support for x64, ARM64 and x86 architectures. – Both memory acquistion and triage collection now facilitated via KAPE batch mode with _kape.cli dynamically built during execution. – Capture directories now named to $hostname-$timestamp to support multiple collections from the same asset without overwriting.
$collection = $env:COMPUTERNAME+$tstamp
– Alert if Bitlocker key not detected. Both display and (empty) text file updated if encryption key not detected. If key is detected it is written to the output file.
(Get-BitLockerVolume -MountPoint C).KeyProtector > $CollectionHostpath\LiveResponse\$collection-key.txt
If ($Null -eq (Get-Content "$CollectionHostpath\LiveResponse\$collection-key.txt")) {
Write-Host -Fore Yellow "Bitlocker key not identified."
Set-Content -Path $CollectionHostpath\LiveResponse\$collection-key.txt -Value "No Bitlocker key identified for $env:computername"
}
Else {
Write-Host -fore green "Bitlocker key recovered."
}
– More efficient use of variables for output files rather than relying on renaming functions during operations – Now just one script for Network or USB usage. Uncomment the “Network Collection” section for network use.
## Network Collection - uncomment the section below for Network use
<#
Write-Host -Fore Gray "Mapping network drive..."
$Networkpath = "X:\"
If (Test-Path -Path $Networkpath) {
Write-Host -Fore Gray "Drive Exists already."
}
Else {
# map network drive
(New-Object -ComObject WScript.Network).MapNetworkDrive("X:","\\Server\Triage")
# check mapping again
If (Test-Path -Path $Networkpath) {
Write-Host -Fore Gray "Drive has been mapped."
}
Else {
Write-Host -Fore Red "Error mapping drive."
}
}
Set-Location X:
#>
## Below is for USB and Network:
$tstamp = (Get-Date -Format "_yyyyMMddHHmm")
$collection = $env:COMPUTERNAME+$tstamp
...
– Stopwatch function will calculate the total runtime of the collection. – ASCII art 😉 “Ceci n’est pas une pipe.”
I’m very pleased with how this project has continued to develop. Special thanks to Brian Maloney whos question got things started down a new path. If you have other questions or suggestions, feel free to leave them here – or better yet, submit a PR at the GitHub repo.
On February 21, I’ll be discussing CSIRT-Collect Free Tools to Bolster Your IR Toolkit at #MVS2023. Register today!
Happy New Year to all the readers. 2022 was a handful, but there were a lot of things to celebrate. I completed my first full year as an employee of Magnet Forensics. Between the people I work with, and the satisfaction of the mission, I couldn’t be happier with where I’m at.
though it wouldn’t be til September that I called an end to the “one more thing” adjustments. It’s definitely one of my favorite DIY projects to date.
There were lots of little successes as well, like finally cleaning up and re-organizing my ‘go-bag.’
As my focus has been more concentrated on malware investigation and analysis – that meant that in no time there’d be something I could automate with PowerShell, and so came Mal-Hash. A few months after the initial release, I was able to update it. Included in the refinements was the ability to now run the script on Windows, Mac, and Linux (via PowerShell).
I also went back to all my O365 related PowerShell Scripts and updated them all to support the latest modern auth / MFA protocols from Microsoft.
After several years of Covid isolation, I was back to attending and presenting at conferences. This year I was able to participate in the Magnet User Summit
Other events included Techno Security and the HTCIA Conference, as well as presenting as part of the HTCIA Tech Tuesday series.
Last but not least, one of the biggest milestones was passing 10k views on this wee ‘lil blog, including a day that had over 1k all on its own. Thank you to everyone who continues to return here and interact from all over the world. Cheers!
Thank you for your continued support of Baker Street Forensics. Is there something you’d like to see more of? Leave a comment and let me know.
Virus Total started in 2004 as a free service to analyze files and URLs for malicious behavior. In 2012 Virus Total (VT) was acquired by Google. Virus Total can provide a boon of information for the nascent investigator, though OpSec should remain a concern.
It’s rare to be in a security class where Virus Total is mentioned and not be warned about submitting the file hash vs. submitting the file itself. Often the suspect file, (i.e. ‘companyXYZ_invoice.doc) could contain information that has been customized to the target, you or your company. You’d don’t need to be a big-game target. Often these files are distributed like mass marketing. The copy YOU receive may have information that traces back to you. The bad guys use Virus Total too you see – and if they see that companyXYZ_invoice.doc was submitted (or companyABC_invoice.doc, company123… etc.), it could tip them off as to who is on to them.
The preferred method of submission is to use the file hash. This value is unique* (insert debate about MD5 hash collisions) to the file and is safer to use as a reference to search for. Virus Total supports MD5, SHA1 and SHA256 hashes for lookup.
Virus Total has both free and Enterprise plans available. Registration gives you access to an API key that you can use to interact with VT. The free accounts are limited in the number of API queries you can submit. If you’re working on a project at enterprise scale, chances are you’ll need the license to do so to support the number of queries.
Mal-Hash is a PowerShell script that utilizes the Virus Total API to interact with VT from the command-line. Your API key is kept in a file separate from the script. When you invoke the script, you point it to a file to analyze.
Mal-Hash.ps1
You can either type the path in manually or you can drag and drop the file onto the PowerShell window and the path will auto populate.
Path of file to analyze
The script uses the Get-FileHash PowerShell command to get the MD5, SHA1 and SHA256 hash of the file. The script then (referencing your API key for the lookup), submits the MD5 (by default) hash to Virus Total. The results of the query are displayed back to the PowerShell instance and are also recorded to a text file.
You can get Mal-Hash.ps1 from my GitHub here. As always, feel free to fork the project and contribute back to the code. Learning is a constant process.
Baker Street Forensics 