Old .evtx logs may be found in the Volume Shadow Copy

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

20240411 MTG memo: COMで行くか直接コマンド実行させるか…… 別スクリプトでやるか？

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

I tried wevtutil command then following result😢 <div class="snippet-clipboard-con

Add a `-V, --scan-vss-backups` option to `General Options`,about yamato-security/hayabusa

Comments (22)

fukusuket commented on September 26, 2024 3

Thank you so much for mention :) Sounds interesting!
As mentioned in the comments above, there seem to be several options, so I'd like to start by researching each one💪

from hayabusa.

fukusuket commented on September 26, 2024 2

Sounds good! I'll try it💪

from hayabusa.

fukusuket commented on September 26, 2024 2

@YamatoSecurity

I tried following code(with wmi = "0.13.3")!

use std::collections::HashMap;
use wmi::{COMLibrary, Variant, WMIConnection};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let com_con = COMLibrary::new()?;
    let wmi_con = WMIConnection::new(com_con.into())?;
    let query = "SELECT * FROM Win32_ShadowCopy";
    let results: Vec<HashMap<String, Variant>> = wmi_con.raw_query(query)?;
    let volumes: Vec<_> = results
        .iter()
        .filter_map(|map| map.get("VolumeName"))
        .collect();
    println!("{:?}", volumes);
    Ok(())
}

then got following expected result👍

C:\tmp\vss\target\release>sample.exe
[String("\\\\?\\Volume{1355c4a7-6b31-43a1-80f4-e35b98d9695f}\\"), String("\\\\?\\Volume{1355c4a7-6b31-43a1-80f4-e35b98d9695f}\\")]

The above results match the vssadmin results.

C:\tmp\vss\target\release>vssadmin list shadows
vssadmin 1.1 - ボリューム シャドウ コピー サービス管理コマンド ライン ツール
(C) Copyright 2001-2013 Microsoft Corp.

シャドウ コピー セット ID: {7f812a7d-4ad0-4a24-8c7b-c5b20649e1cd} の内容
   1 個のシャドウ コピー、作成時刻: 2024/05/04 17:33:36
      シャドウ コピー ID: {e3ff3feb-3ccc-4118-8f1a-ca09b55dc686}
         元のボリューム: (C:)\\?\Volume{1355c4a7-6b31-43a1-80f4-e35b98d9695f}\
         シャドウ コピー ボリューム: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8
         元のコンピューター: mouse
         サービス コンピューター: mouse
         プロバイダー: 'Microsoft Software Shadow Copy provider 1.0'
         種類: ClientAccessibleWriters
         属性: 恒久, クライアント アクセス可能, 自動リリースなし, 差分, 自動回復

シャドウ コピー セット ID: {bc538b53-b2bf-4dd0-8182-dcb42f1fed6a} の内容
   1 個のシャドウ コピー、作成時刻: 2024/05/10 15:52:58
      シャドウ コピー ID: {8cfe7010-b6da-4c51-ac35-6f7b209806b7}
         元のボリューム: (C:)\\?\Volume{1355c4a7-6b31-43a1-80f4-e35b98d9695f}\
         シャドウ コピー ボリューム: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy9
         元のコンピューター: mouse
         サービス コンピューター: mouse
         プロバイダー: 'Microsoft Software Shadow Copy provider 1.0'
         種類: ClientAccessibleWriters
         属性: 恒久, クライアント アクセス可能, 自動リリースなし, 差分, 自動回復

from hayabusa.

fukusuket commented on September 26, 2024 1

20240411 MTG memo:

COMで行くか直接コマンド実行させるか……
別スクリプトでやるか？
- 速度が遅くなる可能性が高い
参考実装
vssadminやCOMをHayabusaから直接呼ぶ場合
- Client/Server/Locale/Powershell/Terminal/Cmdあたりで差異がないか確認する点が多くなりそう

from hayabusa.

YamatoSecurity commented on September 26, 2024 1

@fukusuket I think I found a better way to do this than COM. We can query the information through WMI!
All we need to do is get the VolumeName information. In my test Win VM, I first created a snapshot with wmic shadowcopy call create Volume=C:\ then you can query the volume shadow information with the following PowerShell:

$shadowCopies = Get-WmiObject -Namespace "Root\cimv2" -Class "Win32_ShadowCopy"

foreach ($shadow in $shadowCopies) {
    Write-Output "Volume Name: $($shadow.VolumeName)"
}

This crate can query WMI and thankfully seems to be maintained: https://github.com/ohadravid/wmi-rs
Since it is WMI, I do not think the query will change depending on the Windows version.

from hayabusa.

YamatoSecurity commented on September 26, 2024 1

@fukusuket Great! Thanks!
Here is a reference that may help you:
https://github.com/trickster0/OffensiveRust/blob/master/wmi_execute/src/main.rs

from hayabusa.

fukusuket commented on September 26, 2024 1

The expected detection results were obtained as shown below.

-l option

hayabusa.exe csv-timeline -l -o main.csv -w -C -q
Start time: 2024/05/10 16:32

Total event log files: 356
Total file size: 209.3 MB

Loading detection rules. Please wait.
...
Deprecated rules: 208 (5.06%) (Disabled)
Experimental rules: 854 (20.79%)
Stable rules: 240 (5.84%)
Test rules: 3,014 (73.37%)
Unsupported rules: 45 (1.10%) (Disabled)

Hayabusa rules: 162
Sigma rules: 3,946
Total detection rules: 4,108

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 26
Detection rules enabled after channel filter: 2,054

Results Summary:

Events with hits / Total events: 17,941 / 106,505 (Data reduction: 88,564 events (83.15%))

Total | Unique detections: 18,071 | 58
Total | Unique critical detections: 186 (1.03%) | 3 (0.00%)
Total | Unique high detections: 144 (0.80%) | 8 (43.10%)
Total | Unique medium detections: 319 (1.77%) | 11 (18.97%)
Total | Unique low detections: 15,802 (87.44%) | 11 (18.97%)
Total | Unique informational detections: 1,620 (8.96%) | 25 (13.79%)

volume shadow

hayabusa.exe csv-timeline -d \\?\Volume{1355c4a7-6b31-43a1-80f4-e35b98d9695f}\Windows\System32\winevt\Logs\ -q -o timeline-1.csv -C -w
Start time: 2024/05/10 16:34

Total event log files: 356
Total file size: 209.3 MB

Loading detection rules. Please wait.
...
Evtx files loaded after channel filter: 26
Detection rules enabled after channel filter: 2,054

Results Summary:

Events with hits / Total events: 17,941 / 106,507 (Data reduction: 88,566 events (83.16%))

Total | Unique detections: 18,071 | 58
Total | Unique critical detections: 186 (1.03%) | 3 (0.00%)
Total | Unique high detections: 144 (0.80%) | 8 (43.10%)
Total | Unique medium detections: 319 (1.77%) | 11 (18.97%)
Total | Unique low detections: 15,802 (87.44%) | 11 (18.97%)
Total | Unique informational detections: 1,620 (8.96%) | 25 (13.79%)

from hayabusa.

YamatoSecurity commented on September 26, 2024 1

-l, --live-analysis option is required

Yes, this is only possible with live analysis so we should require this.

If --scan-vss-backups specified, then scan volume shadow in addition to C:\Windows\System32\winevt\Logs\

Yes!

If there are multiple volume shadows（元のボリューム）, scan all of them（or Is it a specification that only one exists?)

There can be multiple volume shadows so I would like to scan them all. Note: There will probably be many duplicate events so users should probably also specify -X, --remove-duplicate-detections. The problem will be if users want to use low memory mode because it is live analysis, then they won't be able to specify -X. We can handle this after the scan with the sort command that also deletes duplicate events.

Add --scan-vss-backups in General Options (Therefore, it can be used with the following command)

General Options is a good place for it.

computer-metrics/eid-metrics/logon-summary/pivot-keywords-list/search/csv-timeline/json-timeline

I was only thinking about csv-timeline and json-timeline but it might be useful for these other commands as well. The problem is there will be many duplicate events so I think it will mess up the results. Until we can support ignoring duplicate entries in the other commands then we should probably ignore them for now and just implement it in csv-timeline and json-timeline.

It would also be nice to see what volumes were found and their creation date.

Before:

Hayabusa rules: 162
Sigma rules: 3,948
Total detection rules: 4,110

Creating the channel filter. Please wait.

After

Hayabusa rules: 162
Sigma rules: 3,948
Total detection rules: 4,110

No shadow copy volumes found.

Creating the channel filter. Please wait.

Hayabusa rules: 162
Sigma rules: 3,948
Total detection rules: 4,110

Shadow copy volumes found:
2024/05/09  13:15:39 : (C:)\\?\Volume{a005d58f-0000-0000-0000-100000000000}\ (HarddiskVolumeShadowCopy1)
2024/05/10  18:12:10 : (C:)\\?\Volume{3ea7e1a6-0976-4717-a681-53838c5bf39c}\ (HarddiskVolumeShadowCopy2)

Creating the channel filter. Please wait.

I am guessing that extracting this information should be done before creating the channel filter but if there is a better place/time to do it then please change it to where ever you think is good.
I believe Original Volume is the same as the C: drive.
I think we should use シャドウコピー ID: {8cfe7010-b6da-4c51-ac35-6f7b209806b7} to scan the backup files.
シャドウコピーセット ID: {bc538b53-b2bf-4dd0-8182-dcb42f1fed6a} is used as an ID for a set of copies if multiple snapshots were taken at the same time.

from hayabusa.

YamatoSecurity commented on September 26, 2024 1

@fukusuket Ah, that is my mistake. I was using the original volume ID of the C: thinking it was the snapshot. It doesn't work for me directly on the command line. Only if the C: volume ID is used. I think we can do this by mounting the snapshot to a folder. (I don't want to add another volume to mount if possible).

mklink /d c:\Tools\hayabusa-2.15.0-win-x64\volumeshadowcopytest \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
.\hayabusa-2.15.0-win-x64.exe csv-timeline -w -d c:\Tools\hayabusa-2.15.0-win-x64\volumeshadowcopytest

seems to work... however, unfortunately it gives these errors:

[00:00:00] 285 / 363 ⠙ [===============================>        ] 79%

"volumeshadowcopytest/Windows/System32/winevt/Logs/Microsoft-Windows-TCPIP%4Operational.evtx"                                                                                                                      An error occurred while trying to read input.
An error occurred while trying to read input.
An error occurred while trying to read input.
An error occurred while trying to read input.
An error occurred while trying to read input.
An error occurred while trying to read input.

When I tried to open the backed up Security.evtx from Event Viewer, it gives the error: This media is write protected

If i copy out the files to a different directory then it works but trying to make copies of all the evtx files for live analysis is not ideal as evidence may be overwritten..

When i just type a text file inside the mounted folder, it outputs without any error so maybe Hayabusa is not specifying that it is trying to open the file in read-only mode?
By default, it should open the file in read-only mode so I don't know why this would be the case though..
https://doc.rust-lang.org/rust-by-example/std_misc/file/open.html
Do you know if it is possible to add the reason for why the error happened like in the link above?
Right now we just get An error occurred while trying to read input. which is too vague.

Could you check the code to see if Hayabusa is explicitly trying to open the .evtx files in read-only mode?

from hayabusa.

fukusuket commented on September 26, 2024 1

I tried wevtutil command then following result😢

C:\tmp\hayabusa-2.15.0-win-x64\volumeshadowcopytest>wevtutil qe "C:\tmp\hayabusa-2.15.0-win-x64\volumeshadowcopytest\Windows\System32\winevt\Logs\Application.evtx" /lf:true /f:text
イベント ログ ファイルが壊れています。

イベント クエリを開けませんでした。
イベント ログ ファイルが壊れています。

from hayabusa.

fukusuket commented on September 26, 2024 1

@YamatoSecurity
I tried copying it and got the same error :(
I also checked another file (normal text, python script, exe... etc) then I found sometimes there are files that are partially filled with NULL characters, and this seems to be the cause of the corruption ...🤔

from hayabusa.

fukusuket commented on September 26, 2024 1

@YamatoSecurity
In my environment, most files could not be read by hayabusa, regardless of robocopy or not.
Therefore, copying does not seem to solve this problem😥 I think it will be difficult to implement unless we find a procedure that allows the files to be completely restored.

-l option

Results Summary:

Events with hits / Total events: 26,026 / 236,081 (Data reduction: 210,055 events (88.98%))

Total | Unique detections: 26,156 | 59
Total | Unique critical detections: 190 (0.73%) | 3 (0.00%)
Total | Unique high detections: 144 (0.55%) | 8 (42.37%)
Total | Unique medium detections: 328 (1.25%) | 11 (20.34%)
Total | Unique low detections: 23,684 (90.55%) | 12 (18.64%)
Total | Unique informational detections: 1,810 (6.92%) | 25 (13.56%)

Dates with most total detections:
critical: 2024-04-27 (38), high: 2024-01-26 (22), medium: 2023-10-12 (48), low: 2024-05-03 (4,279), informational: 2024-05-11 (158)

Top 5 computers with most unique detections:
critical: mouse (3)
high: mouse (7), DESKTOP-CNG7416 (1)
medium: mouse (10), MyComputer (2)
low: mouse (12), DESKTOP-CNG7416 (1)
informational: mouse (25), DESKTOP-CNG7416 (7), MyComputer (1), DESKTOP-9HFNL0J (1)

╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                                            Top high alerts:                                                                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Defender Alert (Severe) (186)                                   Antivirus Relevant File Paths Alerts (106)                                      │
│ Antivirus Password Dumper Detection (3)                         Microsoft Defender Blocked from Loading Unsigned DLL (24)                       │
│ Antivirus Exploitation Framework Detection (1)                  Antivirus Hacktool Detection (4)                                                │
│ n/a                                                             Microsoft Defender Tamper Protection Trigger (4)                                │
│ n/a                                                             Defender Alert (High) (2)                                                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                                              Top low alerts:                                                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Potentially Malicious PwSh (229)                                Credential Manager Enumerated (22,908)                                          │
│ Uncommon PowerShell Hosts (28)                                  Credential Manager Accessed (367)                                               │
│ Suspicious Non PowerShell WSMAN COM Provider (24)               CodeIntegrity - Unmet Signing Level Requirements By File Under Validation (322) │
│ Uncommon AppX Package Locations (15)                            Volume Shadow Copy Mount (49)                                                   │
│ BITS Transfer Job With Uncommon Or Suspicious Remote TLD (14)   Application Uninstalled (20)                                                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                                                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Svc Installed (248)                                             RDS Sess Logoff (138)                                                           │
│ Bits Job Created (218)                                          RDS Sess Disconnect (86)                                                        │
│ PwSh Engine Started (185)                                       Logoff (66)                                                                     │
│ WMI Provider Started (183)                                      Device Conn (64)                                                                │
│ RDS Sess Logon (141)                                            Event Log Svc Started (62)                                                      │
╰───────────────────────────────────────────────────────────────╌─────────────────────────────────────────────────────────────────────────────────╯

copy byexplorer

Results Summary:

Events with hits / Total events: 117 / 1,390 (Data reduction: 1,273 events (91.58%))

Total | Unique detections: 118 | 4
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (50.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (50.00%)
Total | Unique low detections: 116 (98.31%) | 2 (0.00%)
Total | Unique informational detections: 2 (1.69%) | 2 (0.00%)

Dates with most total detections:
critical: n/a, high: n/a, medium: n/a, low: 2024-04-27 (116), informational: 2024-03-30 (2)

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: mouse (2)
informational: mouse (2)

╭─────────────────────────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:                     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         Credential Manager Enumerated (115) │
│ n/a                         Credential Manager Accessed (1)     │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ RDP Conn Attempt (1)        n/a                                 │
│ RDP Attempt (1)             n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
╰───────────────────────────╌─────────────────────────────────────╯

copy by robocopy

Results Summary:

Events with hits / Total events: 117 / 1,390 (Data reduction: 1,273 events (91.58%))

Total | Unique detections: 118 | 4
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (50.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (50.00%)
Total | Unique low detections: 116 (98.31%) | 2 (0.00%)
Total | Unique informational detections: 2 (1.69%) | 2 (0.00%)

Dates with most total detections:
critical: n/a, high: n/a, medium: n/a, low: 2024-04-27 (116), informational: 2024-03-30 (2)

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: mouse (2)
informational: mouse (2)

╭─────────────────────────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:                     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         Credential Manager Enumerated (115) │
│ n/a                         Credential Manager Accessed (1)     │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ RDP Conn Attempt (1)        n/a                                 │
│ RDP Attempt (1)             n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
│ n/a                         n/a                                 │
╰───────────────────────────╌─────────────────────────────────────╯

from hayabusa.

hitenkoku commented on September 26, 2024

@YamatoSecurity

Is it correct to say that this function is available only on Windows because it uses Windows API commands?

It is unclear from where to what point hayabusa should respond.

I think it is too much to ask Hayabusa to do everything from vssadmin list shadow, which requires administrator privileges, but how about supporting it with another script?

from hayabusa.

YamatoSecurity commented on September 26, 2024

Yes, this functionality would only be possible if the user specifies -l, --live-analysis on a Windows machine with local Administrator privileges. Here is a link to some C++ source code that might help us out:
https://github.com/albertony/vss?tab=readme-ov-file#vshadow-source-code
https://github.com/microsoft/Windows-classic-samples/blob/main/Samples/Win7Samples/winbase/vss/vshadow/query.cpp

It does require some COM programming and may be different for Win 7 versus more recent versions of Windows. So would probably be easier just to call vssadmin and parse the output..

from hayabusa.

fukusuket commented on September 26, 2024

I think the following specifications. What do you think?

-l, --live-analysis option is required
If --scan-vss-backups specified, then scan volume shadow in addition to C:\Windows\System32\winevt\Logs\
- If there are multiple volume shadows（元のボリューム）, scan all of them（or Is it a specification that only one exists?)
Add --scan-vss-backups in General Options (Therefore, it can be used with the following command)
- computer-metrics/eid-metrics/logon-summary/pivot-keywords-list/search/csv-timeline/json-timeline

If I have misunderstood the specifications, please let me know!🙏

from hayabusa.

fukusuket commented on September 26, 2024

I have one more question!
If original volume specified, it means scanning from backup file?(not from the current evtx)

from hayabusa.

fukusuket commented on September 26, 2024

@YamatoSecurity
Thank you for comment! I see!

I think we should use シャドウコピー ID: {8cfe7010-b6da-4c51-ac35-6f7b209806b7} to scan the backup files.

I tried シャドウコピー ID , but I couldn't scan it with hayabusa ... :( ([ERROR] No .evtx files were found.)
Is there a way to scan by シャドウコピー ID?

from hayabusa.

fukusuket commented on September 26, 2024

Could you check the code to see if Hayabusa is explicitly trying to open the .evtx files in read-only mode?

The file is opened at the following code, but it is Read Only.
https://github.com/Yamato-Security/hayabusa-evtx/blob/main/src/evtx_parser.rs#L273

Also, in my environment, when I opened mounted folder's evtx in Event Viewer after mklink, I got an error saying that the file was corrupted... :( Therefore, even after running mklink, there may still be missing information to restore the file...?🤔

from hayabusa.

YamatoSecurity commented on September 26, 2024

@fukusuket Humm.. if you copy the file to a different directory and then scan it, does it work?

from hayabusa.

YamatoSecurity commented on September 26, 2024

I got to work with copying with robocopy:

robocopy c:\test\Windows\System32\winevt\Logs c:\testlogs
.\hayabusa-2.15.0-win-x64.exe csv-timeline -w -d c:\testlogs

Can you test if it works with copying with robocopy?

from hayabusa.

YamatoSecurity commented on September 26, 2024

Memo: I can run Hayabusa against the volume shadow backup with .\hayabusa-2.15.0-win-x64.exe csv-timeline -w -d \\.\HarddiskVolumeShadowCopy2\Windows\System32\winevt\Logs without having to make a link first.
Unfortunately, I still get the file read errors. I am guessing that it is because the files only contain the block-level differential data which corrupts them unless they are copied out..

from hayabusa.

YamatoSecurity commented on September 26, 2024

So i copied out the Security.evtx file to the temp directory and the hashes don't match up so I am guessing that directly accessing the files is only good for metadata analysis and that it is necessary to copy out the files to check the content. Although I haven't read any article that talks about this and it is weird that you still can't read the file when you copy it out (but it works for me..)

While not ideal, one possibility would be to copy files out one at a time to a temp directory, scan the file, delete it then copy another file, etc... which at least would better than copying the entire directory (although not as easy to implement...)

from hayabusa.

Add a `-V, --scan-vss-backups` option to `General Options` about hayabusa HOT 22 OPEN

Comments (22)

-l option

volume shadow

-l option

copy byexplorer

copy by robocopy

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent