Tag: PowerShell

Ginsu: A tool for repackaging large collections to traverse Windows Defender Live Response

DFIR, M365, PowerShell, Triage
Screenshot of Ginsu.ps1

Enterprise customers running Windows Defender for Endpoint have a lot of capability at their fingertips. This includes the Live Response console, a limited command shell to interact with any managed Defender assets that are online. Besides its native commands you can also use the console to push scripts and executables to endpoints.

Note: there is a specific security setting in the Defender console if you want to allow unsigned scripts.

Microsoft has its own triage package capability, but you can also push your own tools like Magnet RESPONSE or KAPE. With a little bit of PowerShell mojo you can use your favorite collection utilities using the Defender Live Response console as your entry point into the remote asset.

The console enables you to pull back files from the remote endpoint, even when it’s been quarantined. One limitation of this console function is that you’re limited to retrieving files of 3GB or less.

For many triage collections this could be under the limit, but depending on the artifacts you’re collecting you might exceed that. So what do you do when you have an isolated endpoint but you need to pull back files over 3GB? That’s where Ginsu comes in.

Ginsu is a PowerShell script that you can upload to your Defender console along with the command line version of 7zip. You configure the script with the directory with the contents you want to transfer. The script acts as a wrapper for 7zip and will create a multipart archive, splitting the files into 3GB segments.

Once you pull the archives back to your workstation, you can use 7zip to extract the files back into their original properties.

In testing, the file transfer capabilities were a bit buggy, whether it was transferring 3GB Ginsu files or other smaller files from the asset. I’m hoping this improves as the Defender console matures. If you’re able to text Ginsu in your environment, I’d love to hear how it performs.

You can download Ginsu from my GitHub repo at https://github.com/dwmetz/Ginsu

Huntress CTF: Week 3 – Forensics: Rogue Inbox, Texas Chainsaw Massacre: Tokyo Drift

CTF, DFIR, Forensics

Rogue Inbox

Originally I was looking at this in Timeline Explorer, but decided to switch to Excel.

Swimming and scanning through a sea of log entries, an anomaly showed itself.

For this one I just copied the values out by hand.

Huntress CTF: Week 3 – Forensics: Rogue Inbox, Texas Chainsaw Massacre: Tokyo Drift

The download is Application Logs.evtx

If you open the log with Event Viewer, you may see there’s an entry for a (non-actual) event ID of 1337.

The error content isn’t very helpful.

Let’s take a hint from the title and run the event log through Chainsaw.

Nothing significant when using the stock rules. What if we poke specifically at Event ID 1337.

That looks interesting.

Copy the binary data and bring it over to CyberChef

From unintelligible binary to unintelligible PowerShell.

Copy the output and save it is a .ps1 file. We can run the script through PowerDecode.

PowerCode works down through the obfuscation layers, finally revealing the plain text of the command.

Now that the code has been deobfuscated, time to figure out what it does. I copied the code into PowerShell ISE and start isolating the different command sections.

One of the commands does a DNS lookup and directs the output into a string.

If we run the command on its own we can see the output. The last part of the script checks to see if the output matches the pattern of a Base64 encoded string, and if so, decodes it.

Now what was that about Tokyo?

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 2 – Malware: VeeBeeEee, Snake Eater, Opendir

CTF, DFIR, Malware

VeeBeeEee

First examine the file contents.

Ooof. That hurts the eyes. If we throw it into CyberChef, with the assistance of some magic (or detailed reading of the challenge), we see that it’s VB Script, which can be converted using the Microsoft Script Decoder recipe.

Copy the output to VS Code.

The syntax highlighting shows that all the ””””””””al37ysoeopm’al37ysoeopm entries are just comments, so let’s remove them.

There also seems to be an abundance of “&” obscuring the code. We’ll remove them too.

That’s a lot more readable. Looking at the code we see it’s going to use PowerShell to create a file C:\Users\Pubic\Documents\July.htm using as input the content from a pastebin URL.

Snake Eater

We’ll detonate snake_eater.exe in our lab environment.

I really enjoyed this challenge as I used my detonaRE PowerShell script to control the detonation and solve the challenge. Besides firing the malware itself, the script will initiate a pcap capture and monitor the malware process using Process Monitor. The script the converts the ProcMon output to csv for easy analysis.

Scrolling through the csv we find that the application was writing a file to: 

~\AppData\Roaming\Mael Horns\flag{hashforflag}

Opendir

Let’s get Started

The link brings us to an Open Directory (duh) with lots of scripts and executables, not to mention a number of subdirectories.

The first thing to do is grab everything.

Site Sucker works well for this.

Once we’ve captured all the files and subdirectories locally we can search through them en masse. Once again in this CTF, the_silver_searcher (ag) comes into play.

Tucked away in /sir/64_bit_new/oui.txt is the flag.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 2 – OSINT: Where Am I?, Operation Not Found, Under the Bridge

CTF, DFIR, OSINT, PowerShell

Where Am I?

Opening the picture we see it’s a location.

I’ve frequently used exiftool to inspect the metadata of pictures, including GPS coordinates.

The file does contain GPS metadata but before we even get there, looks like something out of the ordinary for the Image Description…

Instead of the usual CyberChef, this time we’ll do the conversion using PowerShell.

The converted string is our flag.

Operation Not Found

First off, lets adjust the positioning of the image and see if we can get better view of our location.

That’s better.

Actually when I ran this challenge, I started on my mobile device.

I took a screenshot of the building and then used the Google Lens function to identify the building.

Georgia Tech Library. That’s consistent with the description in the challenge. I bring up the location in Google Maps.

Zooming and scrolling and zooming and scrolling to get the Google Maps location and the mini-map on the challenge to the same areas. The mini-map is a PAIN to navigate. Even knowing where I was going to it took me several minutes to manipulate my positioning on the map.

But once I’m finally there, I mark my location and submit for the flag and…

Under the Bridge

Pretty much the same methodology as above.

Pivot the screen for a clearer landmark.

Grab a screenshot and send it to Google Lens

Rickroll Tunnel. LOL.

Once again back and forth with Google Maps and the mini-map and getting familiar with all the London highways, and finally….

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.