With the "new" release, I thought it would be good to share a couple of tips as to how you can get the most out of RegRipper v3.0. I should note that for the most part, all of these tips are the same things I've recommended for using RegRipper v2.8, as well.
The "Kitchen Sink" Approach
When you take the "kitchen sink" approach and run every available plugin against a hive file, you're going to get a great deal of info back, some of which may not make sense or even apply to the case on which you're working. As such, you're likely going to have questions about some of what you see, and whether it can be applied to the case you're working on. I provided the GUI tool to operate in exactly this manner, because according to many, this is the primary use case, and how RegRipper is most often used. However, what follows are some tips that might be helpful, particularly if you do not want to use this approach.
Check The References
If you have a question about a plugin, feel free to open the plugin in Notepad (I use Notepad++ or UltraEdit) and take a look at the contents, particularly the "header". If you're not sure what a "header" is, it's all the stuff commented out (preceded by '#') at the top of the plugin. If you're using something like Notepad++, the header may appear in a different color, such as green, thanks to syntax highlighting. Very often, the header will contain reference information or URLs that provide insight as to why the plugin was written and how the information returned by the plugin may be applied to specific use cases.
Finding a Plugin
Sometimes, you might want to check and see if there's a plugin that gets some information you're interested in, as it may be helpful to your case. There is no online reference for the plugins; the v2.8 distro contains 386 plugins, and the v3.0 distro contains 248 plugins, so keeping a reference or wiki of some kind is still going to require searching. Further, not all of the plugins look for specific values, but instead get all or most of the values beneath a key, so if you're looking for a specific value name, or some element that may be included in the data, you may not find it.
In order to see if there's a plugin that looks for a particular key or value name, I use the following command:
C:\perl\rr3\plugins>findstr /C:"UseLogonCredential" /i *.pl
...or to find any plugins that reference blog posts from PenTestLabs (hint: there are two), I use the following command:
C:\perl\rr3\plugins>findstr /C:"pentestlab" /i *.pl
If you don't find what you're looking for, ask. Yep, it's that easy. Just ask. Sure, you can go on social media and say, "hey, RegRipper doesn't have a plugin that does this...", and that may very well be true. However, RegRipper was originally designed to be a community-supported project; if you don't find a plugin that does something you need, either write one (Corey Harrell did a lot of that, starting off with simply copy-paste...), or share a request along with some data so that it can be written. In most cases, I've turned a plugin around in an hour or so, with limited data for testing. As time goes on and more data becomes available, the testing improves, and the there may be corresponding improvements in the plugins, as well.
A final note on that thought...when looking for a plugin, spelling helps. Tremendously. You don't even know.
Building Profiles
I know that some folks are of the opinion that the RegRipper GUI doesn't allow you to modify the available profiles, but that is simply NOT the case. In fact, all you need to do to create your own profiles is find the double-secret-monkey-stuff Windows tool called "Notepad". ;-) Really, it's that easy.
A "profile" is a list of plugins that are run by rip.exe, via the "-f" switch. You can use rip to run individual plugins, but if you have a series of plugins that you want to run against a hive, the easiest way, and one that is self-documenting, is to use a profile. To create a profile, just create a text file with no extension, and add the plugins you want to run, one on each line. For example, to build out a profile that lets me check the Software hive for information related to connected USB devices, I'd create a file called "USB-Software" (again, no file extension), and then add the following plugins:
emdmgmt
portdev
volinfocache
That's all it takes. As new information is developed and new plugins become available, I might add some of those plugins to the profile.
RegRipper v2.8
As a final note and just a reminder, I'm no longer supporting RegRipper v2.8. I'll leave the repo up for the time being, but I'll be removing the repo before too long (date TBD).
I hope that someone finds this information useful.
RegRipper v3.0
I recently released RegRipper v3.0, something I've been working on since Aug, 2019.
I am no longer supporting RegRipper 2.8. I'll leave the repo up for the time being, but I will not be writing plugins to support that version. You can move plugins written for v2.8 to the v3.0 plugins folder, and they will work fine. However, due to modifications in the date output format, the reverse is not true.
What's New?
Fig. 1: RegRipper GUIGUI - The GUI (i.e., rr.exe) no longer makes use of profiles. When you launch the GUI, you'll see what appears in figure 1. Note that you can select the hive, and the output folder for the report, but there is no longer a drop-down for selecting a profile.
Instead, what now happens is that the hive file type is "guessed"/determined, and the tool runs through the entire plugins folder to build a list of all plugins that apply to that hive, and then runs them. All of them. There is no longer any need to maintain a profile for use with the GUI. In the end, the idea of profiles seemed to be just too confusing.
The hive file types that RR "knows" are Software, System, SAM, NTUSER.DAT, USRCLASS.DAT, and AmCache.
However, the capability to run individual plugins and profiles still exists, albeit via the command line tool, rip.exe. More about that later.
Date Format - the date output format has changed. Phill Moore had asked for this via Twitter back in Feb, and more recently, a Github issue had been submitted via the Autopsy Github site. The issue what was submitted asked for date output format IAW ISO 8601, but what was asked for was not, in fact, compliant with ISO 8601. Rather, what they'd asked for was the RFC 3339 profile. That's very likely much more than you wanted to know, so to be brief, the date output format is now:
YYYY-MM-DD HH:MM:SS
Note the space between the date and time...that's what is NOT compliant with ISO 8601, but it is what was asked for. In those instances where the time stamp is equivalent to UTC, I've added "Z" to the date output format.
Plugin Updates - As part of the process of "fixing" all 386 plugins in the 2.8 distro, a good number of them were updated, modified, consolidated, or simply "whacked". In this case, "whacked" means removed from the main distro, moved to a separate folder, and may be addressed at a later date.
At the moment, the 3.0 distro contains 248 plugins. The easiest way to find something specific in the plugins is to use a hidden MS tool called "findstr". Navigate to the plugins folder and type a command such as:
findstr /C:"UseLogonCredential" /i *.pl
...or...
findstr /C:"pentestlab" /i *.pl
If you can't find a plugin that addresses a specific need, then reach out and ask. I recently was provided some information about a key, and some sample data, by a co-worker, and within an hour was able to turn around a fully functional plugin.
RIP - the capabilities of the command line tool have been modified significantly, which you can see from the syntax info below:
Rip v.3.0 - CLI RegRipper tool
Rip [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile.
-r [hive] .........Registry hive file to parse
-d ................Check to see if the hive is dirty
-g ................Guess the hive file type
-a ................Automatically run hive-specific plugins
-aT ...............Automatically run hive-specific TLN plugins
-f [profile].......use the profile
-p [plugin]........use the plugin
-l ................list all plugins
-c ................Output plugin list in CSV format (use with -l)
-s systemname......system name (TLN support)
-u username........User name (TLN support)
-uP ...............Update default profiles
-h.................Help (print this information)
Ex: C:\>rip -r c:\case\system -f system
C:\>rip -r c:\case\ntuser.dat -p userassist
C:\>rip -r c:\case\ntuser.dat -a
C:\>rip -l -c
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
copyright 2020 Quantum Analytics Research, LLC
Notice the "-a" switch; this replicates what the GUI does, in that it gets the hive file type, then runs through the plugins folder and finds all plugins that pertain to that hive type, and then runs them. The "-aT" switch does the same thing, but for the timeline (*_tln.pl) plugins. As with the RR GUI, the hive file types that rip "knows" are Software, System, SAM, NTUSER.DAT, USRCLASS.DAT, and AmCache. However, with rip.exe, you can still run the plugins designated for "all" hive types; rlo.pl, null.pl, del.pl, etc., via the command line using the "-p" switch.
Also, you still have the capability to run profiles via rip.exe. This is very useful if you don't want to take a "kitchen sink" approach, but you want to be able to easily run several plugins, such as for a USB playbook.
Caveats
RegRipper is not and never was intended to be an "all knowing" tool. It was intended to be a "good" tool that made people's jobs easier, and the only real way to do that is if analysts provide input. So, rather than saying, "RegRipper doesn't...", why not grab some sample data, attach it to an email and send in a request? I've been pretty good about turning something around within an hour, and more time and more data for testing simply means that the plugin becomes more useful for others, as well.
I haven't seen everything, nor do I know everything. I do not offer myself up as an "expert". This is to say that the available RegRipper plugins are based on either what I've seen or what others have shared with me. For example, I read about Project TajMahal, did some testing, and the printer_settings.pl plugin checks to see if the KeepPrintedJobs property is enabled. But that doesn't mean the everything pertinent to your case is included in a plugin; if that turns out to be the case, I'm more than happy to assist where I can, and were you allow me to do so.
I am no longer supporting RegRipper 2.8. I'll leave the repo up for the time being, but I will not be writing plugins to support that version. You can move plugins written for v2.8 to the v3.0 plugins folder, and they will work fine. However, due to modifications in the date output format, the reverse is not true.
What's New?
Fig. 1: RegRipper GUIGUI - The GUI (i.e., rr.exe) no longer makes use of profiles. When you launch the GUI, you'll see what appears in figure 1. Note that you can select the hive, and the output folder for the report, but there is no longer a drop-down for selecting a profile.Instead, what now happens is that the hive file type is "guessed"/determined, and the tool runs through the entire plugins folder to build a list of all plugins that apply to that hive, and then runs them. All of them. There is no longer any need to maintain a profile for use with the GUI. In the end, the idea of profiles seemed to be just too confusing.
The hive file types that RR "knows" are Software, System, SAM, NTUSER.DAT, USRCLASS.DAT, and AmCache.
However, the capability to run individual plugins and profiles still exists, albeit via the command line tool, rip.exe. More about that later.
Date Format - the date output format has changed. Phill Moore had asked for this via Twitter back in Feb, and more recently, a Github issue had been submitted via the Autopsy Github site. The issue what was submitted asked for date output format IAW ISO 8601, but what was asked for was not, in fact, compliant with ISO 8601. Rather, what they'd asked for was the RFC 3339 profile. That's very likely much more than you wanted to know, so to be brief, the date output format is now:
YYYY-MM-DD HH:MM:SS
Note the space between the date and time...that's what is NOT compliant with ISO 8601, but it is what was asked for. In those instances where the time stamp is equivalent to UTC, I've added "Z" to the date output format.
Plugin Updates - As part of the process of "fixing" all 386 plugins in the 2.8 distro, a good number of them were updated, modified, consolidated, or simply "whacked". In this case, "whacked" means removed from the main distro, moved to a separate folder, and may be addressed at a later date.
At the moment, the 3.0 distro contains 248 plugins. The easiest way to find something specific in the plugins is to use a hidden MS tool called "findstr". Navigate to the plugins folder and type a command such as:
findstr /C:"UseLogonCredential" /i *.pl
...or...
findstr /C:"pentestlab" /i *.pl
If you can't find a plugin that addresses a specific need, then reach out and ask. I recently was provided some information about a key, and some sample data, by a co-worker, and within an hour was able to turn around a fully functional plugin.
RIP - the capabilities of the command line tool have been modified significantly, which you can see from the syntax info below:
Rip v.3.0 - CLI RegRipper tool
Rip [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile.
-r [hive] .........Registry hive file to parse
-d ................Check to see if the hive is dirty
-g ................Guess the hive file type
-a ................Automatically run hive-specific plugins
-aT ...............Automatically run hive-specific TLN plugins
-f [profile].......use the profile
-p [plugin]........use the plugin
-l ................list all plugins
-c ................Output plugin list in CSV format (use with -l)
-s systemname......system name (TLN support)
-u username........User name (TLN support)
-uP ...............Update default profiles
-h.................Help (print this information)
Ex: C:\>rip -r c:\case\system -f system
C:\>rip -r c:\case\ntuser.dat -p userassist
C:\>rip -r c:\case\ntuser.dat -a
C:\>rip -l -c
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
copyright 2020 Quantum Analytics Research, LLC
Notice the "-a" switch; this replicates what the GUI does, in that it gets the hive file type, then runs through the plugins folder and finds all plugins that pertain to that hive type, and then runs them. The "-aT" switch does the same thing, but for the timeline (*_tln.pl) plugins. As with the RR GUI, the hive file types that rip "knows" are Software, System, SAM, NTUSER.DAT, USRCLASS.DAT, and AmCache. However, with rip.exe, you can still run the plugins designated for "all" hive types; rlo.pl, null.pl, del.pl, etc., via the command line using the "-p" switch.
Also, you still have the capability to run profiles via rip.exe. This is very useful if you don't want to take a "kitchen sink" approach, but you want to be able to easily run several plugins, such as for a USB playbook.
Caveats
RegRipper is not and never was intended to be an "all knowing" tool. It was intended to be a "good" tool that made people's jobs easier, and the only real way to do that is if analysts provide input. So, rather than saying, "RegRipper doesn't...", why not grab some sample data, attach it to an email and send in a request? I've been pretty good about turning something around within an hour, and more time and more data for testing simply means that the plugin becomes more useful for others, as well.
I haven't seen everything, nor do I know everything. I do not offer myself up as an "expert". This is to say that the available RegRipper plugins are based on either what I've seen or what others have shared with me. For example, I read about Project TajMahal, did some testing, and the printer_settings.pl plugin checks to see if the KeepPrintedJobs property is enabled. But that doesn't mean the everything pertinent to your case is included in a plugin; if that turns out to be the case, I'm more than happy to assist where I can, and were you allow me to do so.
Registry Analysis, pt II
In my last blog post, I provided a brief description of how I perform "Registry analysis", and I thought it would be a good idea to share the actual mechanics of getting to the point of performing Registry analysis.
First off, let me state clearly that I rarely perform Registry analysis in isolation from other data sources and artifacts on the system. Most often, I'll incorporate file system metadata, as well as Windows Event Log metadata, into my analysis in order to develop a clearer picture of the activity. Doing this helps me to 'see' activity that might be associated with a threat actor, and it goes a long way towards removing guesses and speculation from my analysis.
For instance, I'll incorporate Windows Event Log record metadata using the following command:
C:\tools>wevtx.bat d:\case\*.evtx > d:\case\evtx_events.txt
The above command places the record metadata, decorated using intrusion intel from the eventmap.txt file, into an intermediate file, with all of the entries in the 5-field TLN format. I can then make use of just this file, or I can incorporate it into my overall timeline events file using the 'type' command:
C:\tools>type evtx_events.txt >> events.txt
That being said, there are times when I have been asked to "take a look at the Registry", and during those times, my hope is to have something around which to pivot...a service name, a specific date and time, some particular event, etc. I'll start this process by listing all of the Registry keys in the Software and System hives based on the key LastWrite times, using the following commands:
C:\tools>regtime -m HKLM/Software/ -r d:\case\software > d:\case\reg_events.txt
C:\tools>regtime -m HKLM/System/ -r d:\case\system >> d:\case\reg_events.txt
Note: RegRipper will tell you if the hive you're accessing is 'dirty', and if so, you'll want to strongly consider merging the transaction logs into the hive prior to parsing. I like to do this as a separate process because I like to have the original hive file available so that I can look for deleted keys and values.
If there's a suspicion or evidence to suggest that a local user account was created, then adding metadata from the SAM hive is pretty simple and straightforward:
C:\rr3>rip -r d:\case\sam -p samparse_tln >> d:\case\reg_events.txt
When I say "evidence to suggest" that the threat actor added a local account to the system, one way to check for that is to hope the right auditing was enabled, and that you'd find the appropriate records in the Security Event Log. Another way to check is to parse the SAM Registry hive:
C:\rr3>rip -r d:\case\sam -p samparse
Then, correlate what you see to the ProfileList key from the Software hive:
C:\rr3>rip -r d:\case\software -p profilelist
Looking at these two data sources allows us to correlate user accounts and RIDs to user profiles on the system. In many cases, we'll have to consider domain accounts (different SIDs), as well.
I'll also include other specific information from the Registry hives in the timeline:
C:\rr3>rip -r d:\case\system -p shimcache_tln >> d:\case\reg_events.txt
...
I'll also incorporate the AmCache metadata, as well:
C:\rr3>rip -r d:\case\amcache.hve -p amcache_tln >> d:\case\reg_events.txt
For a user, I generally want to create a separate mini-timeline, using similar commands as above:
C:\tools>regtime -m HKCU/ -r d:\case\user\ntuser.dat -u user > d:\case\user\reg_events.txt
C:\tools>regtime -m HKCU/ -r d:\case\user\usrclass.dat -u user >> d:\case\user\reg_events.txt
C:\rr3>rip -r d:\case\user\usrclass.dat -u user -p shellbags_tln >> d:\case\user\reg_events.txt
C:\rr3>rip -r d:\case\user\ntuser.dat -u user -p userassist_tln >> d:\case\user\reg_events.txt
...
Note: If you're generally looking at the same artifacts within a hive (NTUSER.DAT, etc.) over and over, it's a good idea to open Notepad and create a RegRipper profile. That way, you have a documented, repeatable process, all in a single command line.
Note: If you're looking at multiple systems, it's not only a good idea to differentiate users on the system via the "-u" switch, but also differentiate the system by using the "-s" switch in the RegRipper command lines. You can get the system name via the compname.pl RegRipper plugin.
Once the events file has been created, I have a source for parsing out specific items, specific time frames, or just the entire timeline, using parse.exe. I can create the entire timeline, and based on items I find to pivot on, go back to the events file and pull out specific items using combinations of the type and find commands. The complete timeline is going to contain all sorts of noise, much of it based on legitimate activity, such as operating system and application updates, normal user activity (logins, logoffs, day-to-day operations, etc.), and sometimes it's really helpful to be able to look at just the items of interest, and then view them in correlation with other items of interest.
Note: If you have a standard extraction process, or if you mount images using a means that makes the files accessible, all of this can be automated with something as simple as a batch or shell script.
Once I get to this point, the actual analysis begins...because parsing and display are not "analysis". Getting one value or the LastWrite time to one key is not "analysis". For me, analysis is an iterative process, and what I described above is just the first step. From there, I'll keep a viewer handy (usually MiTeC's WRR) and a browser open, allowing me to dig in deeper and research items of interest. This way, I can see values for keys for which there are not yet RegRipper plugins, such as when a new malware variant creates keys and values, or when a threat actor creates or modifies keys. When I do find something new like that (because the process facilitates finding something new), that then becomes a RegRipper plugin (or a modification to an existing plugin), decoration via the eventmap.txt file, etc. The point is that whatever 'new thing' is developed gets immediately baked back into the overall process.
For example, did a threat actor disable Windows Defender, and if so how? Via a batch file? No problem, we can use RegRipper to check the Registry keys and values. Via GPO? Same thing...use RegRipper. Via an sc.exe command? No problem...we can use RegRipper for that, as well.
What about open source intrusion intel, such as this FireEye blog post? The FireEye blog post is rich with intrusion intel that can be quickly and easily turned into plugins and event decoration, so that whenever those TTPs are visible in the data, the analyst is immediately notified, providing pivot points and making analysis vastly more consistent and efficient.
First off, let me state clearly that I rarely perform Registry analysis in isolation from other data sources and artifacts on the system. Most often, I'll incorporate file system metadata, as well as Windows Event Log metadata, into my analysis in order to develop a clearer picture of the activity. Doing this helps me to 'see' activity that might be associated with a threat actor, and it goes a long way towards removing guesses and speculation from my analysis.
For instance, I'll incorporate Windows Event Log record metadata using the following command:
C:\tools>wevtx.bat d:\case\*.evtx > d:\case\evtx_events.txt
The above command places the record metadata, decorated using intrusion intel from the eventmap.txt file, into an intermediate file, with all of the entries in the 5-field TLN format. I can then make use of just this file, or I can incorporate it into my overall timeline events file using the 'type' command:
C:\tools>type evtx_events.txt >> events.txt
That being said, there are times when I have been asked to "take a look at the Registry", and during those times, my hope is to have something around which to pivot...a service name, a specific date and time, some particular event, etc. I'll start this process by listing all of the Registry keys in the Software and System hives based on the key LastWrite times, using the following commands:
C:\tools>regtime -m HKLM/Software/ -r d:\case\software > d:\case\reg_events.txt
C:\tools>regtime -m HKLM/System/ -r d:\case\system >> d:\case\reg_events.txt
Note: RegRipper will tell you if the hive you're accessing is 'dirty', and if so, you'll want to strongly consider merging the transaction logs into the hive prior to parsing. I like to do this as a separate process because I like to have the original hive file available so that I can look for deleted keys and values.
If there's a suspicion or evidence to suggest that a local user account was created, then adding metadata from the SAM hive is pretty simple and straightforward:
C:\rr3>rip -r d:\case\sam -p samparse_tln >> d:\case\reg_events.txt
When I say "evidence to suggest" that the threat actor added a local account to the system, one way to check for that is to hope the right auditing was enabled, and that you'd find the appropriate records in the Security Event Log. Another way to check is to parse the SAM Registry hive:
C:\rr3>rip -r d:\case\sam -p samparse
Then, correlate what you see to the ProfileList key from the Software hive:
C:\rr3>rip -r d:\case\software -p profilelist
Looking at these two data sources allows us to correlate user accounts and RIDs to user profiles on the system. In many cases, we'll have to consider domain accounts (different SIDs), as well.
I'll also include other specific information from the Registry hives in the timeline:
C:\rr3>rip -r d:\case\system -p shimcache_tln >> d:\case\reg_events.txt
...
I'll also incorporate the AmCache metadata, as well:
C:\rr3>rip -r d:\case\amcache.hve -p amcache_tln >> d:\case\reg_events.txt
For a user, I generally want to create a separate mini-timeline, using similar commands as above:
C:\tools>regtime -m HKCU/ -r d:\case\user\ntuser.dat -u user > d:\case\user\reg_events.txt
C:\tools>regtime -m HKCU/ -r d:\case\user\usrclass.dat -u user >> d:\case\user\reg_events.txt
C:\rr3>rip -r d:\case\user\usrclass.dat -u user -p shellbags_tln >> d:\case\user\reg_events.txt
C:\rr3>rip -r d:\case\user\ntuser.dat -u user -p userassist_tln >> d:\case\user\reg_events.txt
...
Note: If you're generally looking at the same artifacts within a hive (NTUSER.DAT, etc.) over and over, it's a good idea to open Notepad and create a RegRipper profile. That way, you have a documented, repeatable process, all in a single command line.
Note: If you're looking at multiple systems, it's not only a good idea to differentiate users on the system via the "-u" switch, but also differentiate the system by using the "-s" switch in the RegRipper command lines. You can get the system name via the compname.pl RegRipper plugin.
Once the events file has been created, I have a source for parsing out specific items, specific time frames, or just the entire timeline, using parse.exe. I can create the entire timeline, and based on items I find to pivot on, go back to the events file and pull out specific items using combinations of the type and find commands. The complete timeline is going to contain all sorts of noise, much of it based on legitimate activity, such as operating system and application updates, normal user activity (logins, logoffs, day-to-day operations, etc.), and sometimes it's really helpful to be able to look at just the items of interest, and then view them in correlation with other items of interest.
Note: If you have a standard extraction process, or if you mount images using a means that makes the files accessible, all of this can be automated with something as simple as a batch or shell script.
Once I get to this point, the actual analysis begins...because parsing and display are not "analysis". Getting one value or the LastWrite time to one key is not "analysis". For me, analysis is an iterative process, and what I described above is just the first step. From there, I'll keep a viewer handy (usually MiTeC's WRR) and a browser open, allowing me to dig in deeper and research items of interest. This way, I can see values for keys for which there are not yet RegRipper plugins, such as when a new malware variant creates keys and values, or when a threat actor creates or modifies keys. When I do find something new like that (because the process facilitates finding something new), that then becomes a RegRipper plugin (or a modification to an existing plugin), decoration via the eventmap.txt file, etc. The point is that whatever 'new thing' is developed gets immediately baked back into the overall process.
For example, did a threat actor disable Windows Defender, and if so how? Via a batch file? No problem, we can use RegRipper to check the Registry keys and values. Via GPO? Same thing...use RegRipper. Via an sc.exe command? No problem...we can use RegRipper for that, as well.
What about open source intrusion intel, such as this FireEye blog post? The FireEye blog post is rich with intrusion intel that can be quickly and easily turned into plugins and event decoration, so that whenever those TTPs are visible in the data, the analyst is immediately notified, providing pivot points and making analysis vastly more consistent and efficient.
- « Previous Page
- 1
- 2
- 3
- 4
- …
- 12
- Next Page »