dfir-orc icon indicating copy to clipboard operation
dfir-orc copied to clipboard

Published 20 hours ago verified publisher icon DFIR-ORC

[WolfLauncher] directory output not merged into the final archive

Open qlemaire opened this issue 3 years ago • 4 comments

Hello,

I'm trying to execute a wolflauncher command generating several output files into a folder. I would like to copy the output folder into the final ORC archive, but I can't figure out how to do so. I tried to use the Directory source type of the output attribute (https://dfir-orc.github.io/wolf_config.html#id35) without success.

Here is the wolflauncher config:

<!-- ORC version : 10.0.22 -->
        <command keyword="GetCommand" systemtype="DomainController">
            <execute name="cmd.exe" run="%SystemRoot%\System32\cmd.exe"/>
            <argument>/c builtin_command.exe</argument>
            <output name="Command" source="Directory" argument="{DirectoryName}"/>
       <!-- <output name="Command" source="Directory" argument="{DirectoryName}" filematch="*" /> same behavior -->
       <!-- <output name="Command" source="Directory" argument="{DirectoryName}" filematch="\*" /> same behavior -->
            <output name="command.log" source="StdOutErr"/> <!-- command.log is correctly generated and merged in the final archive -->
        </command>

Here is the output on a Windows Server 2016 :

[...]
                         ARC: Command_20211220_110840_DomainController_DC01.LAB.LOCAL.7z started
pid=1964    GetCommand: Start
pid=1964    GetCommand: Hanged for 1 secs
pid=1964    GetCommand: Successfully terminates
                  Full: Complete! (commands took 16 seconds)
                  ARC: File Config.xml added
                  ARC: File JobStatistics.csv added
                  ARC: File command.log added
                  ARC: File ProcessStatistics.csv added
                  ARC: Command_20211220_110840_DomainController_DC01.LAB.LOCAL.7z is complete
ERROR (The directory is not empty, hr=0x80070091): Failed to delete directory C:\Users\ADMINI~1\AppData\Local\Temp\WorkingTemp\Command)
                 Full: Command_20211220_110840_DomainController_DC01.LAB.LOCAL.7z (took 16 seconds, size 3245 bytes)

Finish time           : 12/20/2021 11:08:58.782 (UTC)

The Command folder is correctly generated with the proper output of the command (executed without any error), but not merged into the final archive which remains empty.

Thanks!

qlemaire avatar Dec 20 '21 15:12 qlemaire

I am afk but it may help to add the filematch attribute. It should be optional but may be there is an issue with the code that requires it. We mostly used this source="directory" with filematch.

jeanga avatar Dec 21 '21 22:12 jeanga

Hi @qlemaire , I cannot reproduce your behaviour with one of our tool using a directory as output and DFIR-Orc v10.0.22. Could you give us the following information to help us investigate:

  • The log, json and 7z files generated by DFIR-Orc
  • The complete configuration file used that triggers the bug
  • The reason why you need to run a builtin command through cmd.exe instead of just calling it from <execute>

If this is not a builtin command, could you try embedding it with DFIR-Orc (see this example) and tell us if this changes the behaviour ?

Thanks in advance. Regards

sc-anssi avatar Dec 22 '21 16:12 sc-anssi

Thanks you for your answers!

You're right, I can directly execute the binary instead of running cmd.exe, this went out of my mind.

I did more testing and I think I found the catch explaining the behaviors => nested folders :

  • when the output directory contains nested folders, the files within {DirectoryName} are copied as expected, but the nested content (files within nested folders) are not copied into the final archive and the following error is displayed (because the content is not correctly "moved" I suppose) => ERROR (The directory is not empty, hr=0x80070091): Failed to delete directory {DirectoryName}
  • when the output directory only contains files, the command executes as intended (copying files and deleting the folder)
  • filematch does not seem to change anything (reading the code tells us it is * by default => https://github.com/DFIR-ORC/dfir-orc/blob/main/src/OrcCommand/Command/WolfLauncher/WolfExecution_Config.cpp#L476)

To perform those tests, I used these two certutil commands:

<!-- certutil backupkey (no nested folders) -->
<command keyword="certutil_backupkey">
    <execute name="certutil.exe" run="%SystemRoot%\System32\certutil.exe"/>
    <argument>-p test</argument> <!-- password -->
    <output name="certutil_backupkey" source="Directory" argument='-backupkey {DirectoryName}'/> <!-- backup folder -->
    <output name="certutil_backupkey.log" source="StdOutErr"/>
</command>

<!-- certutil backup (database nested folder not copied)-->
<command keyword="certutil_backup">
    <execute name="certutil.exe" run="%SystemRoot%\System32\certutil.exe"/>
    <argument>-p test</argument> <!-- password -->
    <output name="certutil_backup" source="Directory" argument='-backup {DirectoryName}'/> <!-- backup folder -->
    <output name="certutil_backup.log" source="StdOutErr"/>
</command>

Thanks again

qlemaire avatar Dec 23 '21 10:12 qlemaire

Hi, You are right, source="Directory" does not support recursive collection of files and directories. This was originally intended as a safeguard against unwanted/accidental recursive deletion during clean up. We might need to re-think about the pros and cons of this behavior so we'll keep this issue open and get back to you once this has been discussed. Regards

sc-anssi avatar Dec 24 '21 12:12 sc-anssi