Blog

In all of the cases that I've worked where a malware infection, suspected APT or other security breach had occurred, detectable file remnants were left behind. How can you find them? Can IT audit techniques help? In this episodeover on AuditCasts we take a look at a super easy technique that allows you to find any type of file or any specific file anywhere within your domain. As you can imagine, while this technique is great for finding Malware and APT like threats, it's just a smart baselining activity as well!

Let's start with the code:

strComputer = WScript.Arguments.Item(0)
set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\"_
& strComputer & "\root\cimv2")
set files = objWMIService.ExecQuery(_
"Select * from CIM_DataFile where Drive = 'c:' AND Extension = 'rar'")
for each file in files
wscript.echo strComputer & "," & file.Path & "," & file.Name
next

This VBScript to some may appear complex ,while to others it appears surprisingly short. This script really leverages the existing power of WMI, which we've commented on many times, but this time using VBScript rather than the WMIC tool.

If you copy and paste this script into a file, just give the file a ".vbs" extension. The script expects a single command line argument: the name or IP address of the target host to scan for the file type. If you named the file "find_rar.vbs", you should type something like this to execute it:

cscript find_rar.vbs remote_host_name

Before we get back to what to do with this, you may be wondering why we're using VBScript rather than Powershell for this script. The very simple reason is that I find a large number of organizations that include dashes ("-") within some machine names. This nothing really wrong with this, but this will require that we use that machine name within the Powershell script and I've not yet found a reliable way to allow the use of machine names with dashes within Powershell; it seems to want to interpret the dash as the start of a command line argument!

One last important note is that I'm specifying 'Drive = "c:"' in the script. If you take this piece out, it will search every mounted volume. While this might sound perfect, remember that it will also scan all mounted file shares! This could lead to inadvertently searching the file server for every host that we scan! What if you have more than one local partition? You could modify the script like this:

"Select * from CIM_DataFile where (Drive = 'c:' OR Drive = 'd:') AND Extension = 'rar'"

What Does This Tell Me?

The script, as written, will find all files located on the remote system's "C:" drive that have a ".RAR" extension. As discussed in the accompanying screencast, I've found these to be something of a common thread in compromises that I'd be willing to classify as APT infections. Certainly this could be used to inspect a single system during an investigation, but there's a better way!

The real purpose of this script, and of all of the scripting that we discuss on this blog, is to give you a fast and easy way to create a baseline for all of the hosts in your domain. How can you do that? I'll leave that as an exercise for you, but as a hint you probably just need to modify a line or two of the script presented in this screencast!

Of course, finding RAR files is a very specific task that's targeting the APT infection issue, allowing early detection. Another very powerful application of this script is to change the "RAR" qualifier to "EXE", "DLL" or "COM". Now you have scripts that can be used to create a baseline of every single executable file on a remote file system. How many security administrators or domain administrators would be interested in knowing when new executables show up on the system? This, again, is a great technique for identifying significant changes on a remote system.

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, "Advanced System & Network Auditing".David Hoelzeris the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.