chainsaw icon indicating copy to clipboard operation
chainsaw copied to clipboard
verified publisher icon WithSecureLabs

Add DataStreams Field to MFT Rules and Add Part 1 Rules for Suspicious Script and Executable Locations

Open reece394 opened this issue 1 year ago • 3 comments

As mentioned I have added the DataStreams field to all MFT rules as it might be handy for Zone.Identifiers since #210 has been merged now.

Additionally I have worked on the first batch of rules which aim to automate finding dodgy files in commonly abused Threat Actor locations. This work is based on observations on real incident response cases as well as the excellent SANS FOR508 course. The Suspicious Locations are purposely split out to allow analysts to choose the rules they wish to use. There will be false positives in these (I noted that antiviruses in ProgramData can be particularly noisy as an example) but this should help cut through the noise and generate quick findings for analysts to pivot off rather than having to read the MFT like a book.

This commit also fixes an issue where ADAMNTDS.DIT and NTDS.DIT rules were flagging with an update file that was exactly 55 bytes in size being a very annoying false positive and tightens the Recycle Bin rules to have $I act the same as $R.

Additionally this adds rules for Program Files, Program Files (x86) and Windows to look in the root of the folders for suspicious files. This uses regex to gate the rules to look at just the root of the folders to help cut down on false positives.

reece394 avatar Dec 29 '24 20:12 reece394

Resolved most of the comments in regards to levels. The ones with comments once we get those confirmed I will change those over as well and resolve and then it will be ready to merge

reece394 avatar Jan 04 '25 21:01 reece394

Since my review comments are pending I am going to chuck my findings in here as well just in case they get missed. It seems the issue with \ and /s are platform specific. I was doing my rule creation and testing on Windows hence never coming across it. When running Chainsaw on Windows it outputs the MFT paths as \ but when running it on Linux and macOS it outputs the paths as /. The two options we have is I account for this in the rules or fixing the code to output the same regardless of platform. Doing further research into this it is a known issue with the mft library being used. Seems like this would solve the issue. I recommend forking the library and adding that modification in once it has been validated as a good solution as it doesn't look like there has been activity on the library for a while. I would check this first to see if there are any differences between that and the GitHub master.

reece394 avatar Jan 05 '25 20:01 reece394

The MFT Library has been forked. As a result on Windows the slashes are now the same as macOS and Linux and I will now rewrite the rules with this in mind. Do not merge these until the MFT library fork work is done and merged as the rules are in a varying state of broken due to earlier assumptions

reece394 avatar Jan 09 '25 21:01 reece394