search

davehull / Kansa

A Powershell incident response framework
Apache License 2.0
1.56k stars 266 forks source link

Kansa Analysis: Get-ASEP* malformed output #77

Closed ihypbb closed 9 years ago

ihypbb commented 9 years ago

Hi,

When collecting autoruns with autorunsc output, it receive wrong results:

.\kansa.ps1 -pushbin -verbose -target localhost

Output file: localhost-autoruns

Time    EntryLocation   Entry   Enabled Category    Description Publisher   ImagePath   Version LaunchString    MD5 SHA1    PESHA1  PESHA256    SHA256  PSComputerName  RunspaceId  PSShowComputerName
11/25/2014 12:32 PM HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute           Boot Execute    System-wide                                     <compname>  768d310e-13ee-4427-9559-c2a113596910    True
11/20/2010 10:28 AM HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute   autocheck autochk * enabled Boot Execute    System-wide Auto Check Utility  (Verified) Microsoft Windows    c:\windows\system32\autochk.exe 6.1.7601.17514  autocheck autochk * 3b536a8bec3b4f23ffdfd78b11a2ab93    a017204d7e47bc183d81dcabf047dea32b120343    848E6BC7B8266497B64ADD8304AA839D5962BF61    7384E6AE5F06DF4BE58F27A2337CFF327B1361028AC39E6D3D475FB392814F0D 7bc847ce6c2d29c334f0d1600bbbde3933ff45f6bee5186f442e6270a3f9ec4e   <compname>  768d310e-13ee-4427-9559-c2a113596910    True
11/27/2014 6:58 AM  HKLM\System\CurrentControlSet\Control           Boot Execute    System-wide                                     <compname>  768d310e-13ee-4427-9559-c2a113596910    True
7/14/2009 2:32 AM   HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension    %systemroot%\system32\scext.dll enabled Boot Execute    System-wide Service Control Manager Extension DLL for non-minwin    (Verified) Microsoft Windows    c:\windows\system32\scext.dll   6.1.7600.16385  %systemroot%\system32\scext.dll e914a50a151dffe63d3935226db5e2c1    cfe23d7202c51ede46dc1b548eaa163b8c2c7b62    8EBB471A5EBB092BCD9CF9AED154F23FAEF3A9EC    18E8E08433A85C6F0B0C25066F0CBCBBF8EB3851053867552B404312EBE29CC5 7dcce4060344e1c771679f1c20378a0beb3c1f06db684072f07b98921a62a299   <compname>  768d310e-13ee-4427-9559-c2a113596910    True
8/29/2013 12:13 PM  HKLM\SOFTWARE\Classes\Htmlfile\Shell\Open\Command           Hijacks System-wide                                     <compname>  768d310e-13ee-4427-9559-c2a113596910    True
9/19/2014 12:53 AM  HKLM\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default) C:\Program Files\Internet Explorer\iexplore.exe enabled Hijacks System-wide Internet Explorer   (Verified) Microsoft Windows    c:\program files\internet explorer\iexplore.exe 11.0.9600.17344     6b9fdb34a5a490ff6a7ede280062626a    7c4317a5587e369752e91bc71e1f2c87ef4dce18    973AEB8F9082B0776BEB402A96D4C6C1F40E86E4    EC22A5FEBA46A8F904BD16DFACD8E84E0EE63E732407D1ED38BB1DAAA2B586A7 25e92f5b09fc20b30ccaf2b3a83465300f2af31d748acc0433be88b24cd0b8e8   <compname>  768d310e-13ee-4427-9559-c2a113596910    True
    WMI Database Entries            WMI System-wide                                     <compname>  768d310e-13ee-4427-9559-c2a113596910    True
    WMI Database Entries    BVTConsumer enabled WMI System-wide         File not found: KernCap.vbs     cscript KernCap.vbs                 <compname>  768d310e-13ee-4427-9559-c2a113596910    True
11/21/2014 2:35 PM  HKLM\System\CurrentControlSet\Services          Services    System-wide                                     <compname>  768d310e-13ee-4427-9559-c2a113596910    True
8/21/2014 5:27 PM

When now analysing the file using Get-ASEPImagePathLaunchStringMD5Stack.ps1 e.g. I receive:

ct ImagePath                                                     LaunchString    MD5
-- ------------------------------------------------------------- --------------- -------------------------------------------------
0  <NULL>                                                        <NULL>          <NULL>
1  (Verified) Microsoft Windows                                  6.1.7600.16385  \SystemRoot\system32\drivers\umpass.sys
1  (Verified) Microsoft Windows                                  6.1.7601.18208  system32\drivers\usbaudio.sys
1  (Verified) Microsoft Windows                                  6.1.7601.17514  system32\DRIVERS\umbus.sys
1  (Verified) Microsoft Windows                                  6.1.7600.16385  \SystemRoot\system32\drivers\uagp35.sys
1  (Verified) Microsoft Windows                                  6.1.7600.16385  \SystemRoot\system32\drivers\uliagpkx.sys
1  (Verified) Microsoft Windows                                  6.1.7601.17514  system32\DRIVERS\tunnel.sys
1  (Verified) Microsoft Windows                                  6.1.7601.17514  \SystemRoot\system32\drivers\tsusbhub.sys
1  (Verified) Microsoft Windows                                  6.1.7601.18328  system32\DRIVERS\usbccgp.sys
1  (Verified) Microsoft Windows                                  6.1.7601.18208  \SystemRoot\system32\drivers\usbcir.sys
1  (Verified) Microsoft Windows                                  6.1.7600.16385  system32\drivers\vdrvroot.sys
1  (Verified) Microsoft Windows                                  6.1.7601.18208  System32\Drivers\usbvideo.sys
1  (Verified) Microsoft Windows                                  6.1.7601.18328  \SystemRoot\system32\drivers\usbuhci.sys

which does not reflect the column headers. It looks like the reformating of the output is broken? Or am I doing wrong anything?

Thanks, Boris.

OS: Windows 7 PS: 3.0 kansa: 0.8436-beta

davehull commented 9 years ago

What version of Autorunsc are you using?

ihypbb commented 9 years ago

Sysinternals Autoruns v12.03 - Autostart program viewer

jt-msft commented 9 years ago

Sorry for the delay in getting back to this. I've been unable to reproduce the issue, so can you try it again and send me the full output file so I can run some more detailed debugging?

ihypbb commented 9 years ago

Hi Jon,

Thanks for your reply. At the moment I cannot reproduce the output, because of the error

[localhost] Connecting to remote server localhost failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

I need to troubleshoot it first. PS shell was started with admin privileges..

Regards Boris.

Von: Jon [mailto:notifications@github.com] Gesendet: Freitag, 23. Januar 2015 16:39 An: davehull/Kansa Cc: Bock, Boris Betreff: Re: [Kansa] Kansa Analysis: Get-ASEP* malformed output (#77)

Sorry for the delay in getting back to this. I've been unable to reproduce the issue, so can you try it again and send me the full output file so I can run some more detailed debugging?

— Reply to this email directly or view it on GitHubhttps://github.com/davehull/Kansa/issues/77#issuecomment-71211131.

davehull commented 9 years ago

With the latest updates to the Get-Autoruns collector, this should be fixed for the most recent couple versions of Autorunsc.exe and for future versions, until Mark Russinovich changes the command line arguments, but the field set is calculated dynamically based on Autorunsc's output.