I was reviewing a packet capture file I had from a recent engagement. In it, the attacker had tried unsuccessfully to compress the System and SAM registry hives on the compromised web server. Instead, the attacker decided to copy the hives into a web accessible directory and give them a .jpg file extension. Given that the Windows Registry hives contain a well documented file structure, I decided to write a parser to detect them on the network.
If we see something on the wire, there is a pretty good chance we can create some content to detect it in the future. This is the premise behind most threat-hunting or content creation. Make it easier to detect the next time. This is the same approach I take when building Lua Parsers for the RSA NetWitness platform.
Here, we can see what appears to be the magic bytes for a registry file “regf”.
Let’s shift our view into View Hex and examine this file.
When creating a parser, we want to make it as consistent as possible to reduce false positives or errors. What I found was that immediately following the ‘regf’ signature the Primary Sequence Number (4 bytes) and Secondary Sequence Number (4 bytes) would be different. Then, there was the FileTime UTC (8 bytes) field which would most definitely be unique.
However, the Major and Minor versions were relatively consistent. Therefore, I could skip over those 16 bytes to land on the first byte of the Major Version immediately after my initial token matches. Let’s create a token to start with.
fingerprint_reg:setCallbacks({ ["\114\101\103\102"] = fingerprint_reg.magic, -- regf }) |
If you notice, this token is in DECIMAL format, not HEX. Also, 4 bytes is quite small for a token. What happens is that when a parser is loaded into the decoder, the tokens are stored in memory and compared as network traffic is going through the decoder. Once a token matches, the function(s) within the parser are run. Too small of a token means the parser may run quite frequently with or without matching on the right traffic. Too large of a token means the parser may only run on those specific bytes and you could miss other relevant traffic. When creating a parser token, you may want to error on the side of caution and make it a little smaller but know that you will have to add additional checks to ensure it is the correct traffic you want.
In Lua for parsers, you are always on a byte. Therefore, we need to know where we are and where we want to go. I like to set a variable called ‘current_position’ to denote where my pointer is in the stream of data. When the parser matches on a token, it will return 3 values. The three values are the token itself, the first position of the token in the data stream and the last position of the token in the data stream. This helps me as I want to find the ‘regf’ token and move forward 17 bytes to land on the Major version field.
function fingerprint_reg:magic(token, first, last) current_position = last + 17 local payload = nw.getPayload(current_position, current_position + 7) if payload and #payload == 8 then local majorversion = payload:uint32(1, 4) if majorversion == 16777216 then local minorversion = payload:uint32(5, 😎 if minorversion == 50331648 or minorversion == 67108864 or minorversion == 83886080 or minorversion == 100663296 then nw.createMeta(self.keys["filetype"], "registry hive") end end end end |
This will put the pointer on the first byte (0x01) of the Major Version field. Next what I want to do is extract only the payload I need to do my next set of checks, which will involve reading the bytes.
function fingerprint_reg:magic(token, first, last) current_position = last + 17 local payload = nw.getPayload(current_position, current_position + 7) if payload and #payload == 8 then local majorversion = payload:uint32(1, 4) if majorversion == 16777216 then local minorversion = payload:uint32(5, 😎 if minorversion == 50331648 or minorversion == 67108864 or minorversion == 83886080 or minorversion == 100663296 then nw.createMeta(self.keys["filetype"], "registry hive") end end end end |
Here, I created a variable called ‘payload’ and used the built-in function ‘nw.getPayload’ to get the payload I wanted. Since I previously declared a variable called ‘current_position’, I use that as my starting point and tell it to go forward 7 bytes. This gives me a total of 8 bytes of payload. Next, I make sure that I have payload and that it is, in fact, 8 bytes in length (#payload == 8).
function fingerprint_reg:magic(token, first, last) current_position = last + 17 local payload = nw.getPayload(current_position, current_position + 7) if payload and #payload == 8 then local majorversion = payload:uint32(1, 4) if majorversion == 16777216 then local minorversion = payload:uint32(5, 😎 if minorversion == 50331648 or minorversion == 67108864 or minorversion == 83886080 or minorversion == 100663296 then nw.createMeta(self.keys["filetype"], "registry hive") end end end end |
If the payload checks out, then in this parser, I want to read the first 4 bytes, since that should be the Major Version. In the research I did, I saw that the Major Version was typically ‘1’ and was represented as ‘0x01000000’. Since I want to read those 4 bytes, I use “payload:uint32(1,4)”. Since those bytes will be read in as one value, I pre-calculate what that should be and use it as a check. The value should be ‘16777216’. If it is, then it should move to the next check.
function fingerprint_reg:magic(token, first, last) current_position = last + 17 local payload = nw.getPayload(current_position, current_position + 7) if payload and #payload == 8 then local majorversion = payload:uint32(1, 4) if majorversion == 16777216 then local minorversion = payload:uint32(5, 😎 if minorversion == 50331648 or minorversion == 67108864 or minorversion == 83886080 or minorversion == 100663296 then nw.createMeta(self.keys["filetype"], "registry hive") end end end end |
The Minor Version check winds up being the second and last check to make sure it is a Registry hive. For this to run, the Major version had to have been found and validated based on the IF statement. Here, we grab the next 4 bytes and store those in a variable called ‘minorversion’. There were four possible values that I found in my research. Those would be ‘0x03000000’, ‘0x04000000’, ‘0x05000000’, and ‘0x06000000’. Therefore, I pre-calculated those values in decimal form like I did with the Major Version and did a comparison (==). If the value matched, then the parser will write the text ‘registry hive’ as meta into the ‘filetype’ meta key.
The approach shown here was useful in examining a particular type of file as it was observed in network traffic. The same approach could be used for protocol analysis, identifying new service types, and many others as well. If you would like expert assistance with creating a custom parser for traffic that is unique in your environment then that is a common service offering provided by RSA. If you're interested in this type of service offering, please feel free to contact your local sales rep.
The parser is attached, and I have also submitted it to RSA Live for future use. I hope you find this parser breakdown helpful and as always, happy hunting.
Chris
