Magnet – Page 3 – Baker Street Forensics

CyberPipe version 5.0

DFIR, Forensic Imaging, PowerShell, RAM, Triage, USB

The latest update to CyberPipe (the code formerly known as CSIRT-Collect), has been revised to leverage the free triage collection tool, MAGNET Response. As with previous versions it also runs Encrypted Disk Detector, another free tool from MAGNET.

Script Functions:

Capture a memory image with MAGNET DumpIt for Windows, (x32, x64, ARM64), or MAGNET RAM Capture on legacy systems,
Create a Triage collection* with MAGNET Response,
Check for encrypted disks with Encrypted Disk Detector,
Recover the active BitLocker Recovery key,
Save all artifacts, output and audit logs to USB or source network drive.

* There are collection profiles available for:

Volatile Artifacts
Triage Collection (Volatile, RAM, Pagefile, Triage artifacts)
Just RAM
RAM & Pagefile
or build your own using the RESPONSE CLI options

Prerequisites:

The setup is simple. Save the CyberPipe script to a USB drive. Next to the script is a Tools folder with the executables for MAGNET Response & EDD. Before running, customize the script to select a collection profile. Run the script from the USB drive and collect away. Move on to the next PC and run it again.

Network Usage:

CyberPipe 5 also has the capability to write captures to a network repository. Just un-comment the # Network section and update the \\server\share line to reflect your environment.

In this configuration it can be included as part of automation functions like a collection being triggered from an event logged on the EDR.

Prior Version (KAPE Support):

If you’re a prior user of CyberPipe and want to use the previous method where KAPE facilitates the collection with the MAGNET tools, or have made other KAPE modifications, use v4.01.

Download:

Download the latest release of CyberPIpe on GitHub.

https://github.com/dwmetz/CyberPipe

Huntress CTF: Week 2 – Forensics: Wimble, Opposable Thumbs, Tragedy_Redux

CTF, DFIR, Forensics

Wimble

Once the file was downloaded and extracted from the zip I ran the file command on it.

OK so we’ll be doing the analysis for this one on a Windows box to start.

Move the file to windows and rename to Fetch.wim

Open the .wim with 7zip explorer

Within the zip file we see a plethora of Prefetch (.pf) files, but among them we there is a fetch.zip

When we extract the contents of the zip file we have another directory of Prefetch files.

I extracted the .pf files to a folder.

I used Magnet AXIOM to process the prefetch files. Based on our scenario, I have keywords set for Huntress, ctf, and flag.

That was easy.

Opposable Thumbs

I know for a fact that Axiom can process thumbnail caches.

And BAM! there’s the flag.

Tragedy Redux

First things first, let’s get an idea of what kind of file we’re dealing with. Hmm. It shows as a zip archive. When the file is unzipped we see the structure below.

Looking at the structure, as seasoned analyst may identify that the tragedy_redux file is in fact a word document. Which will bring up another method in a minute. But before that let’s take a look at the vbaProject.bin file with olevba.

There’s a macro file with some curious fruit and vegetable related functions.

If you realized at the beginning this was a word doc file, you could append the file extension .docm to the file.

When opening the file in Word, there is a prompt to enable macros.

Once the document is open you see a document containing the definition of Tragedy.

From there we can go to Tools > Macros > Edit… we can get to the same vbs content we did with olevba.

The next step was to convert the vbs into something actionable. I struggled on this one, but one of my teammates was successful in converting the vbs to Python.

This code interprets the numeric values in longstring (Apples), as decimal representations of ASCII values, subtracts 17 from each value, and prints the corresponding characters. The characters are printed one by one without newlines, forming a string of characters as the output.

When we run the Python script we get back:

powershell -enc JGZsYWc9ImZsYWd7NjNkY2M4MmMzMDE5Nzc2OGY0ZDQ1OGRhMTJmNjE4YmN9Ig==

Now we can echo the value to base64 decrypt and get our final flag value.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Magnet RESPONSE PowerShell

DFIR, Forensic Imaging, PowerShell, Presentations, RAM

I’m excited to share with you a new script I’ve written, Magnet RESPONSE PowerShell.

Magnet RESPONSE is a free tool from Magnet Forensics that makes it easy for investigators as well as non-technical operators to collect triage collections quickly and consistently.

Released initially as a GUI tool for law-enforcement investigators, it’s a single executable that requires no installation. The available command line syntax also makes it very flexible for enterprise use.

So what do I do when there’s a command line interface available, I PowerShell the hell out of it.

If you’ve been following my CyberPipe project, you’ll definitely want to check this one out.

MagnetRESPONSEPowerShell.ps1

Functions:

💻 Capture specified triage artifacts using profiles with Magnet RESPONSE,
🐏 Capture a memory image with DumpIt for Windows or Magnet RAM Capture,
💾 Save all artifacts, output, and audit logs to network drive.
🪟 Supports x86, x64 and ARM64 versions of Windows

Prerequisites:

Magnet RESPONSE

Web server where you can host MagnetRESPONSE.zip that’s accessible to endpoints.

File server repository to save the file collections to.

Please note this is not a Magnet supported product. This script is open source. If you have comments, updates, or suggestions – please do so here or on GitHub via discussion or pull request.

There are two areas of the script for you to customize.

The Variable Setup contains the case identification, file server and web server locations.

The second section, Collection Profiles, define which artifact groups you want to collect. You can see all the options available in the Magnet RESPONSE CLI Guide.

VARIABLE SETUP

$caseID = "demo-161" # no spaces

$outputpath = "\\Server\Share" # Update to reflect output destination.

$server = "192.168.4.187" # "192.168.1.10" resolves to http://192.168.1.10/MagnetRESPONSE.zip

COLLECTION PROFILES

Within the script we need to have at least one set of collection arguments defined. In this case I’ve built multiple profiles, which are simply un-commented to mark the profile as active. You only want to have one profile enabled at a time. You can design your own collection profiles using any of the available CLI options, just follow the format below.

#### Extended Process Capture

$profileName = "EXTENDED PROCESS CAPTURE"

$arguments = "/capturevolatile /captureextendedprocessinfo /saveprocfiles"

Execution

Once your environment and collection variables are defined, go ahead and run the script on your endpoints. Every host that executes the script will download RESPONSE from the web server, run the specified collection profile, and then save the output to the file server. All data defined in the collection profile will be collected and organized by case name, hostname and timestamp of collection in the central location. The returned files can be examined manually, using open source tools, or products like Magnet AXIOM Cyber.

If you’d like to learn more about the script, and how I integrated it with AXIOM Cyber and Magnet AUTOMATE, you can register for my webcast, Responding at Scale with Magnet RESPONSE. I hope to see you there.

You can download the script at https://github.com/MagnetForensics/Magnet-RESPONSE-PowerShell

Capturing malware evidence with detonaRE

DFIR, Malware, PowerShell, RAM

Lately I’ve been experimenting with a lot of varieties of different malware strains. Each time the malware executes, I have a process where I’ll initiate a packet capture, give the malware some time to spin up, and then execute an evidence capture while the malware is running. Then I’ll revert to a snapshot, make some modifications to the environment, and run the process again.

To make things easier on myself (and to help with late afternoon brain fog) I decided to script out the process with PowerShell.

detonaRE – from Latin, to detonate

initiates packet capture
launches malware sample
terminates packet capture after specified interval
initiates evidence collection with Magnet RESPONSE (memory, process, and triage capture)
converts collected .etl file (network capture) to .pcap with etl2pcapng.

## variable configuration:
$malwspath = “E:” ## malware source path
$malwdpath = “C:\Users\REM\Desktop\Malware\” ## malware destination path
$malware = “redline-76ca4a.exe” ## malware executable
$pcaptime = 180 ## duration in seconds for pcap capture
$toolsdir = “E:\Tools” ## MagnetRESPONSE.exe and etl2pcapng.exe

In my case I’ve got my malware file on the root of a USB device (E:) that will be attached to the VM. I want to copy the malware to the ‘Malware’ folder on the VM desktop. For this example the malware file is redline-76ca4a.exe. Any tools needed will be stored in E:\Tools.

I’m using the netsh command to capture any network traffic in .etl format. Later on, we’ll convert the .ett to .pcap. This is the same process I utilized in the QuickPcap PowerShell script.

Once the packet capture is running, the malware file gets detonated. The packet capture will continue running for the set duration, the default being 180 seconds or 3 minutes. It’s important not to terminate the packet capture too early. As you can see in the demonstration video below, once this particular malware sample is detonated, it sleeps for a bit and doesn’t show as active on the system until about 45 seconds into the capture.

Once the packet capture is completed, I’m running the command line version of Magnet RESPONSE. If you’re a fan of CyberPipe this is definitely one you’ll want to check out. Using Magnet RESPONSE I collect the memory (Comae DumpIt), pagefile, running processes (full process dumps) and triage system collection. Note, these artifacts can be scaled down by adjusting the Magnet RESPONSE CLI parameters.

Finally, when that’s all done, the .etl file gets converted to .pcap via etl2pcapng.exe. Then I transfer the collected files to my analysis machine and then the real fun begins.

update: (a day later) version 1.1 now also initiates Process Monitor with a filter applied for the malware to be detonated.

Github link for detonaRE

detonaRE v1.0

detonaRE.ps1 v1.1 now includes Process Monitor

detonaRE version 1.2 demo