Hackin9

Graham Cluley Security News

Jigsaw decryption tool released for sadistic ransomware that deletes your files
Graham Cluley Security News
David is an infosec news junkie and security journalist. He currently works as Contributing Editor for Graham Cluley Security News and also serves as Associate Editor for Tripwire's "The State of Security" blog. David intends to pursue a career that ...

and more »
 

A few weeks ago, I wrote a diaryabout forensics and the bash UNIX shell and last week, I attended the training FOR408 (Windows Forensics Analysis) in Amsterdam. The training was great and coveredmany ways to collect artifactin a Microsoft Windows environment but there was nothing about the Windows command line (cmd.exe or powershell.exe) which are common tools used by attackers or insiders. In fact, the memory analysis is covered in the training FOR508.To make thinks clear, the good old cmd.exe does not provide any logging facilities at all. When the process is running, it is possible to use the in-memory"> C:\"> C:\ procdump.exe -accepteula -ma cmd.exe cmd.dump

And then search for interesting strings. Nothing! After some Google searches, I found a paper written in 2010 which explains how command history is managed into the computer memory. Hopefully, volatility has a module which helps toextract"> # ./vol.py -f laptop.dump consoles**************************************************ConsoleProcess: conhost.exe Pid: 7336Console: 0xff1c6200 CommandHistorySize: 50HistoryBufferCount: 1 HistoryBufferMax: 4OriginalTitle: %SystemRoot%\system32\cmd.exeTitle: C:\WINDOWS\system32\cmd.exeAttachedProcess: cmd.exe Pid: 7308 Handle: 0x6c----CommandHistory: 0x39eab0 Application: cmd.exe Flags: Allocated, ResetCommandCount: 42 LastAdded: 41 LastDisplayed: 41FirstCommand: 0 CommandCountMax: 50ProcessHandle: 0x6cCmd #0 at 0x3774b0: cd /Cmd #1 at 0x399e90: cd users/xmertensCmd #2 at 0x399ec0: type secret.txtCmd #3 at 0x3774d0: historyCmd #4 at 0x39e2a0: hCmd #5 at 0x39e2b0: dirCmd #6 at 0x399ef0: type secret.txtCmd #7 at 0x39e2c0: f:Cmd #8 at 0x39e2d0: dirCmd #9 at 0x3774f0: md casesCmd #10 at 0x39e2e0: e:Cmd #11 at 0x39e2f0: dirCmd #12 at 0x377510: cd toolsCmd #13 at 0x39e300: lsCmd #14 at 0x39e310: dirCmd #15 at 0x377530: cd PSToolsCmd #16 at 0x39e320: dirCmd #17 at 0x377550: cd ..Cmd #18 at 0x39e330: dirCmd #19 at 0x377570: cd ..Cmd #20 at 0x39e340: dir......

This plugin scans for CONSOLE_INFORMATION and prints the entire screen buffer (including input and output - the type commands and results).But to use volatility, we need to make a copy of the target system image, this can be slow, difficult to perform. How to get an real time"> @echo offdoskey exit=doskey /h $g$g %USERPROFILE%\cmd.log$t exit $*

This will dump the cmd.exe history to the file cmd.log everytime the user closes the session with exit (but"> C:\ cmd /k c:\scripts\cmdhist.batC:\ whoamiwin10vm\xavierC:\ exitC:\ type %USERPROFILE%/cmd.logwhoamiC:\

This technique has many limitations but, at least, data is written on disk (and data deleted from the disk can easily be recovered if the user erases the file!).

Another approach is to extend the existing cmd.exe features with a more powerfultool like Clink which describes itself asa powerful bash-style command line editing for cmd.exe. Besides many interesting features to improve the command line, it saves the commands history by default.Once installed, it can be executed automatically when a cmd.exe is launched and the users history is saved to %USERPROFILE%\AppData\Local\clink\.history. Like in a UNIX bash shell, the behavior of the history can be configured with environment variables:

  • history_dupe_mode
  • history_expand_mode
  • history_file_lines
  • history_ignore_space
  • history_io

And what about PowerShell? Like cmd.exe, it does not have a persistent mechanism to store the commands history. Clink is reported to be compatible with PowerShell (since the latest release) but it does not work for me. An alternative is to use the PSReadLine module. I found a blog post which explains how to implement history persistence in PowerShell.

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Internet Storm Center Infocon Status