Closed nyrm-f closed 1 year ago
salehmuhaysin
commented
1 year ago hi
please check the changes
you need to replace the configuration.json file to enable regtimeline parser
https://github.com/DFIRKuiper/Kuiper/blob/master/kuiper/app/parsers/regsk/configuration.json
nyrm-f
commented
1 year ago hello,
thank you for the add. I've copied over the new configuration.json file and gotten it to parse.
Kuiper does now display the above keys, but the current issue is that it does not show the Values for the key.
I think this is because REGtimeline was able to parse NTUSER.dat, but it errors out parsing any SOFTWARE hive I give it, where the values of the key would be stored.
Any ideas?
nyrm-f
commented
1 year ago this also had some issues parsing SYSTEM hives
salehmuhaysin
commented
1 year ago i think this issue from yarp library, try to run yarp directly on the hive file, if failed that means the problem in yarp
regarding the data
it parses the record as either key or value, for example
the key is the first record, it will not have a value
the second record is the value, multiple records will have multiple records with the same key value
if you want the data for the value, check the record details
nyrm-f
commented
1 year ago thanks for the reply. Could you elaborate on how to run yarp on the file?
I've installed a fresh version of kuiper and still getting issues with system and software hvies
salehmuhaysin
commented
1 year ago download the yarp from here https://github.com/msuhanov/yarp then run
pip3 install ./
python3 yarp-print <path-to-SYSTEM>if it worked that means yarp has no issue of opening the file
nyrm-f
commented
1 year ago Hello.
I was able to run yarp on it with no issues on the same software and system hives. printed right to terminal no errors from what i could see.
I got a copy of the malware and ran it in my own VM and have attached it here.
The malicious keys are stored in the NTUSER.dat, although Kuiper is not parsing all of the keys.
I look at how yarp parses it and can see the keys in question, its not making it over to Kuiper some how.
here is how the keys look in registry editor, kuiper only shows value 3 out of the 7
I've also included the file true_nt.txt which is my yarp output of the ntuser.dat in test_registries.zip.
SOFTWARE\Microsoft\Phone\paul0 is the first malicious key with 7 values. its a binary split up over 7 keys
SOFTWARE\Microsoft\Phone\paul is the second malicious key with 120+ values in it.
I've noticed they are all separate key values.
Would it be possible to have Kuiper stitch these together? so when you view the value field for SOFTWARE\Microsoft\Phone\paul for example, all of the 120 values have been reassembled into one value for the key.
This would be very helpful for getting malware out of reg keys
salehmuhaysin
commented
1 year ago Hi,
I solved the issue with REGTimeline, the source code for calling the parser function for values was commented due to the huge number of records generated by the parser, which impact the memory. I enabled it and modified some part of the code to enhance the utilization of the memory so it will not impact the processing.
regarding combining the values to generate one record, unfortunately this is not good for two reasons.
Note: I added troubleshooting guide for parsers here incase you faced issue later
nyrm-f
commented
1 year ago Understood!
Just tested out the new code and its working! thanks so much.
Great to know about the troubleshooting guide tysm
Describe the parser Parser that parses out all registry keys in all hives. displays values, names, etc As it seems now, i am missing SOFTWARE keys.
Kuiper seems to parse some registry keys based on specific sources i see in regsk.
But there does not seem to be a parser that pulls out every single key from SAM, SYSTEM, SOFTWARE, etc
Details of parser artifact file Unable to pass this reg hive over at the moment, but can find another.
sample provide a sample of the artifact file that has the data
already exists parser maybe this will help (https://github.com/williballenthin/python-registry)
Additional context Add any other context or screenshots about parser.
Kuiper does not show the below registry keys, i have processed the same data with log2timeline and it processes it as shown below
Log2timeline also includes the contents, as you can see there is a binary in the \phone\ key, i have redacted the user.