Friday, July 1, 2016

Another update to volatility script (SIFT3)

Added a bunch of modules I now find useful, changed how I do the timeline, and changed it for use with the SIFT workstation (vol.py rather than hardpath).

#!/bin/bash
#Simply runs a bunch of my most commonly used volatility plugins

if [ $# -lt 2 ]
then
    #I added the script to /usr/bin/memscan and gave it execute
    echo "Useage: memscan imagename profile"
else

    if [ ! -d dump ];
    then
        #The script doesn't use this folder, but I do ;)
        mkdir dump
    fi

    for plugin in pslist pstree psxview malfind hivelist dlllist connscan consoles malsysproc mimikatz autoruns prefetchparser shellbags shimcache ssdt userassist
    do

        echo "Running $plugin"
        vol.py -f $1 --profile=$2 $plugin > $plugin.txt
    done

    echo "Creating timeline"
    vol.py -f $1 --profile=$2 timeliner --output=body --output-file=timeline_body.txt
#    vol.py -f $1 --profile=$2 mftparser --output=body --output-file=mftparser.txt
    mactime -b timeline_body.txt -d -z EST5EDT > timeline.txt

    echo "Mapping strings"
    strings -a -td $1 > full_strings.txt
    strings -a -td -el $1 >> full_strings.txt # Second pass for unicode
    vol.py -f $1 --profile=$2 strings -s full_strings.txt --output-file=mapped_strings.txt
fi

Tuesday, November 10, 2015

Short Script Version Whatever

Yet another quick and dirty script I don't want to have to rewrite, but is only useful to me.

#!/bin/bash

#Automates the renaming and "parsing" of the failed logon report from redacted
#Assumes being run in the same folder as the report, and that the report is named LOCKEDCONSOLE.XLS

#Store IFS
OLDIFS=$IFS

#Set new IFS
IFS=$'\n'

#Check to see if there is a new file, and rename it if there is.
if [ -e ./LOCKEDCONSOLE.XLS ]
then
    mv LOCKEDCONSOLE.XLS lc-$(date "--date=${dataset_date} - ${date_diff} 1 day" +%m-%d-%y).xls
fi

#Clean up old files (keeps two weeks worth)
for line in $(ls -lha | grep -v "dr\|script\|total")
do
    if (( $(date -d "$(echo $line | awk {'print $6,$7'})" +%s) < $(date "--date=${dataset_date} - ${date_diff} 14 day" +%s) ))
    then
        rm $(echo $line | awk {'print $9'})
    fi
done

#Get a count of failed logins by user ID.
cat *.xls | awk {'print $2'} | sort | uniq -c | sort -n | tail -n 30

#Restore IFS
IFS=$OLDIFS

Thursday, September 24, 2015

Malicious pdf AND document

Found a couple interesting pdfs, and I've only had a chance to dig into one of them so far. Anyways, opening this pdf you see a “PDF is Secured. VIEW ONLINE HERE” and below that a blurred out section document with more “Secured, VIEW HERE” nonsense. The URL it shows, is hxxp://tinyurl[.]com/o7s66zo


If you jump down this rabbithole, you’re redirected to hxxp://www.eitool[.]com/SanJose/help/userguide_files/adobe-cooperation-secure/index.php
This site is simply asking you to sign in with your email and password, typical credential harvesting scam. There’s a fair bit of javascript involved, and may be some landing page style nonsense going on, but from my analysis box I don’t see anything, could just be the harvest. I may try and dig into that more later.
 

Anyways, if you DO sign in, things get a little more interesting. I threw in the throwaway credentials I have set up exactly for instances like this, and it had me download a .doc file. Interesting, I had expected to be redirected to a public junk pdf.

Hmmm, does this doc contain macros? Why yes… yes it does. Though it looks like they didn’t really configure it? There’s a CitiBank logo at the top, and below that it says “Put here some text to be more trustworthy!” Hahahaha, that’s pretty hilarious. The rest of the English is pretty special too.


If you run the macro, it reaches out to hxxp://hotelsanjuliansas[.]com/components/billzkencrypt11.exe
. I tried to run it, but apparently it requires .net 4.0? VT has a pretty massive 33/57 hit on it (md5sum 5bb68067ca34e94b875b3c56e3b31e48) so I’m not sure if I’m too worried about trying to analyze it.