Cache Me If You Can!

1 © Mandiant, a FireEye Company. All
rights reserved. © Mandiant, a FireEye Company. All rights reserved. Cache Me If You Can! Matt Bromiley Senior Consultant, Mandiant

rights reserved. Agenda • $ whoami • Why Does this Matter? • Windows Application Experience and Compatibility • Forensic Shim Artifacts • RecentFileCache • ShimCache • AmCache • Wrapping Up

rights reserved. $ whoami • Currently a Senior Consultant with Mandiant • 4+ years experience with a focus on data breaches, incident response, network security monitoring, and digital forensics • Work with clients from small, regional shops to multinational Fortune 50s • SANS FOR508 TA • LOVE to share, learn, and help others improve (while improving myself!) Tweet/Git/Blog [@]505Forensics[.com]

rights reserved. Why Does This Matter? “Malware Can Hide, But It Must Run” -SANS

rights reserved. Why Does This Matter? - “Malware Can Hide, But It Must Run” • Malware authors are continually improving the methods by which they hide their malware • Persistence mechanisms are becoming a study unto themselves, due to the intricacies of various operating systems • Environments are now running multiple versions of multiple operating systems • How can we scale our analysis to focus on artifacts that matter? • Which artifacts should we be examining, and how long do we have value?

rights reserved. Why Does This Matter? Forensic Artifacts Time Since Incident

rights reserved. Why Does This Matter? – Time Is Your Enemy • IR usually triggers on an event, and we backtrack in time. • As time increases, artifacts that are available may decrease • Logs roll • Users gonna use • Shutdowns and Reboots • Re-deployment • Destroyed

rights reserved. Why Does This Matter? – Add to Your Arsenal • Forensicators need to have as much information as possible • Cache entries can also tell us what else happened before/after the malware was run • The goal is to understand compromise;; paint a picture of attacker activity • Windows *caches help to understand more about what happened when • We are constantly peeking back in time • We need artifacts that can hopefully stand the test of time as well!

rights reserved. Windows Application Experience and Compatibility • Microsoft Windows Application Compatibility Infrastructure, aka Shim Infrastructure • Designed to help mitigate software “breaking” due to Windows “upgrades” or “improvement” • Implemented via API hooking;; redirects API calls from Windows to alternative code • Redirects to shim code • Allows for applications with older code dependencies to run without performance/software issues to the user

rights reserved. Windows Application Experience and Compatibility (cont.) Application without Shims: Application with Shims: Source: https://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx

rights reserved. Windows Application Experience and Compatibility (cont.) Expected Shim activity: • When process creation begins, Windows checks for application compatibility flags. If present, then the application compatibility databases are references through the shim engine • Parse through shim databases for additional verification of compatibility needs • If required, load the shim engine DLL

rights reserved. RecentFileCache • Located at C:\Windows\AppCompat\Programs\RecentFileCache.bcf • Typically available on versions older than Windows 8 & 10 • Temporary storage of a recent list of executed applications • What may cause a program to be stored in here? • “New” programs (downloaded/copied) • First runs of known-programs • Volatility • HIGHLY VOLATILE • Cleared when the Application Experience ProgramDataUpdater is executed, potentially storing long-term

rights reserved. RecentFileCache (cont.)

rights reserved. RecentFileCache - Parsing • Harlan Carvey has written a Perl carver • https://github.com/keydet89/Tools/blob/master/source/rfc.pl • Patrick Olsen has written a Python carver • https://github.com/sysforensics/RecentFileCacheParser Example: python rfcparse.py –f /path/to/RecentFileCache.bcf c:\windows\syswow64\unregmp2.exe c:\program files (x86)\windows media player\wmpshare.exe

rights reserved. RecentFileCache – Parsing (cont.) • Lance Mueller also created a EnCase v7 EnScript that can extract RecentFileCache data from memory images, unallocated space, or find the file itself • Available at http://www.forensickb.com/2015/04/encase-v7-enscript-to-carve.html

rights reserved. ShimCache • Located within the SYSTEM registry hive • Windows XP-(ish): HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache • !Windows XP(-ish): HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache • Contains program execution/shim details;; more extensive than RecentFileCache • Lower volatility than RecentFileCache;; can store up to 1024 entries

rights reserved. ShimCache – Windows XP • Entries are created when a new file is executed, or application is modified and executed. • Registry entries are 552 bytes in size;; registry will contain max 96 entries • Entry has a 400 byte header that begins with 0xDEADBEEF • Header also contains • Number of entries in record • Indices used by cache manger

rights reserved. ShimCache – Windows XP (cont.) • Entries contain • Full path of executable • $SI Last Modified Time • File Size • Last File Update Time • Winlogon saves cache contents to registry during system shutdown • Cache entries may be recovered from unallocated registry or disk space • Yes, you can carve for these! Reference: https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf

rights reserved. ShimCache – Windows Server 2003 • Registry path changes • …\AppCompatCache\AppCompatCache • Registry entries are 24 or 32 bytes in length;; registry will contain max 512 entries • Entry has a 8 byte header that begins with 0xBADC0FFE, and contains number of entries • Entries will be updated for new executables, or existing executables with path changes/modifications • Differences between 32- and 64-bit;; important to note for parsing!! Reference: https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf

rights reserved. ShimCache – Windows Vista/Server 2008 • Registry entries are 24 or 32 bytes in length • Cache contains up to 1024 entries • Two 4-byte flags added (dwInsertFlags and dwFlags) • File size removed • Applications may now be added to cache without execution! • Windows Explorer may parse EXE metadata and applications are added to cache Reference: https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf

rights reserved. ShimCache – Windows 7 and Server 2008 R2 • Registry entries are 32 or 48 bytes in length • Cache contains up to 1024 entries • Entry has a 128-byte header that begins with 0xBADC0FEE, and contains number of cache entries • Non-executed applications may still be recorded;; however we can detect execution • Only timestamps recorded are still $STANDARD_INFORMATION last modified times

rights reserved. ShimCache – Windows 7 and Server 2008 R2 (cont.) • New cache updates now include a flag that may tell if application was executed or not • dwInsertFlags may be written with a value of 2, indicating execution • dwShimFlags relate to Compatibility Database • qwBlob* values may relate to execution of installers Reference: https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf

rights reserved. ShimCache - Parsing • Multiple tools available to parse ShimCache • Mandiant’s own ShimCacheParser tool • https://github.com/mandiant/ShimCacheParser • Can parse multiple file outputs: • Registry hives • Extracted keys • Current (live) system • MIR XML files • Output will be returned with most-recent execution first

rights reserved. ShimCache – Parsing (cont.) • ShimCacheParser Usage: python ShimCacheParser.py –i <hive_file> -o <hostname>.appcompat.out [+] Reading registry hive: SYSTEM... [+] Found 32bit Windows 7/2k8-R2 Shim Cache data... [+] Found 32bit Windows 7/2k8-R2 Shim Cache data... [+] Writing output to <hostname>.appcompat.out...

rights reserved. ShimCache – Parsing (cont.) • AppCompatCacheParser by Eric Zimmerman • Available at http://binaryforay.blogspot.com/p/software.html • Can parse live system or dead hives • Usage: AppCompatCacheParser.exe –s <output_dir> -h <path_to_hive>

rights reserved. AmCache • On Windows 8 & 10/Server 2012, RecentFileCache.bcf/ShimCache is replaced with ‘AmCache’ hive • Location: C:\Windows\appcompat\Programs • Now a Windows NT Registry (REGF) hive

rights reserved. AmCache (cont.) • AmCache ups the forensic game significantly! • Now records: • SHA-1 hash! • PE Header fields • Multiple timestamps (last modified, created) • Full path to file • File version • File Size • Product Name • Program ID • Increased forensic value for investigators

rights reserved. AmCache (cont.) • Records are grouped by Volume GUIDs • You can compare registry “folders” to GUIDs found under SYSTEM\MountedDevices • Root > File > Volume GUID • Volume GUID folders contain entries;; each entry represents a program within the AmCache • Hexadecimal values + 17, 100, and 101 • E.g. 101 represents the SHA-1 of the file

rights reserved. AmCache - Parsing • Eric Zimmerman has developed AmcacheParser • Available at https://www.dropbox.com/s/1letm7lll3wj1ca/AmcacheParser.zip?dl=1 • Eric’s tool also incorporates whitelist/blacklist capabilities • Usage: AmcacheParser.exe –s <output_dir> -f <path_to_amcache_hive> [-w <SHA-1 whitelist>] [-b <SHA-1 blacklist>]

rights reserved. AmCache – Parsing (cont.) • Willi Ballenthin has created a Python script to parse the AmCache hive • Available at https://github.com/williballenthin/python- registry/blob/master/samples/amcache.py • Yogesh Khatri has created EnCase v6 and v7 parsers • Outputs to the console • Available at swiftforensics.com

rights reserved. Analysis Techniques • Case Study 1. Imagine: SOC receives an alert of malicious traffic originating from a user workstation. 2. IR team collects targeted artifacts from the host, including registry hives and event logs 3. Event log parsing shows multiple A/V errors on the file C:\Windows\oSCMpGpk.exe 1. Administrator user logs in, disables A/V, the errors stop 2. We have a filename as a pivot point 4. Analyst parses ShimCache data from registry to examine execution artifacts

rights reserved. Analysis Techniques (cont.) • ShimCache Analysis Techniques

rights reserved. Wrapping Up • As forensic investigators, we are constantly seeking new artifacts to help us paint the picture of activity on a system • Artifacts are temporal;; some are extremely volatile, others have a longer “shelf-life” • The various *caches available since Windows XP help provide analysts another source of information to profile suspicious activity • There are multiple parsers available for each;; pick which works best for you!

rights reserved. Shoulders of Giants… SANS – http://www.sans.org Tools Mandiant ShimCache Whitepaper - https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Eric Zimmerman - http://binaryforay.blogspot.com/ Blogs Corey Harrell - http://journeyintoir.blogspot.com Harlan Carvey - http://windowsir.blogspot.com Yogesh Khatri - http://www.swiftforensics.com

Cache Me If You Can!

Cache Me If You Can!

More Decks by bromiley

Other Decks in Technology

Featured

Transcript