Thursday, 27 December 2012

SANS Forensic Artifact 6: UserAssist


I'm a little late to say this but firstly Happy Christmas to my readers out there. I've been fortunate enough to have a little time off but still find myself working the Christmas / New Year period. I hope some of you have more time off and can catch up on some of those tasks you've been avoiding.

For today we're moving onto the new category which I think everybody will find of interest which is Program Execution. There have been a huge number of posts on these artifacts and just how valuable they can be. Once again we'll attempt to create a few of the artifacts in different ways and see how that results when using our tools.

I still haven't forgotten about the artifacts we've missed so far and I'm currently working on some posts to cover those so that I have a complete series.

UserAssist
Description:
GUI-based programs launched from the desktop are tracked in the launcher on a Windows System.
Location: NTUSER.DAT HIVE
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count
Interpretation:
All values are ROT-13 Encoded
  • GUID for XP 
    • 75048700 Active Desktop 
  • GUID for Win7 
    • CEBFF5CD Executable File Execution
    • F4E57C4B Shortcut File Execution
  • Program Locations for Win7 Userassist
    • ProgramFilesX64 6D809377-…
    • ProgramFilesX86 7C5A40EF-…
    • System 1AC14E77-…
    • SystemX86 D65231B0-…
    • Desktop B4BFCC3A-…
    • Documents FDD39AD0-…
    • Downloads 374DE290-…
    • UserProfiles 0762D272-…
Lets firstly take a look at what we see in my UserAssist registry key so we understand what our tool must export and parse and to be able to understand  which applications have launched and from where. I browsed  to the following "NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist" and found this


Within each of the Count keys listed a number of values which as mentioned above are ROT13 encoded. To the human eye they don't make much sense but once we decode them we'll easily see what the values mean. To give you a feel for what the values look like compared to the decoded values see the following output. I have just grabbed some sample values from my own computer where the first value is the ROT13 value and the second value is the decoded value.

 {S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rUbzr\rufuryy.rkr  
 {F38BF404-1D43-42F2-9305-67DE0B28FC23}\eHome\ehshell.exe  
 {S38OS404-1Q43-42S2-9305-67QR0O28SP23}\Zvpebfbsg.ARG\Senzrjbex64\i2.0.50727\qj20.rkr  
 {F38BF404-1D43-42F2-9305-67DE0B28FC23}\Microsoft.NET\Framework64\v2.0.50727\dw20.exe  
 {S38OS404-1Q43-42S2-9305-67QR0O28SP23}\Zvpebfbsg.ARG\Senzrjbex64\i2.0.50727\ErtNfz.rkr  
 {F38BF404-1D43-42F2-9305-67DE0B28FC23}\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe  
 HRZR_PGYFRFFVBA  
 UEME_CTLSESSION  
 HRZR_PGYPHNPbhag:pgbe  
 UEME_CTLCUACount:ctor  
 IZjner.Jbexfgngvba.izhv  
 VMware.Workstation.vmui  
 JvaMvcPbzchgvat.JvaMvc64  
 WinZipComputing.WinZip64  
 P:\Cebtenz Svyrf (k86)\Zbmvyyn Sversbk\bzav.wn  
 C:\Program Files (x86)\Mozilla Firefox\omni.ja  

You get the picture of what we are dealing with and as mentioned above these are just a few samples of what I have in mine. You'll notice that there are a number of values with UEME prefixing a word. These can also add context to how an applications may have been run. I've attempted to find a full list of each of these for both Windows 7 and Windows XP however I've only been able to find bits and pieces. The following list is taken from Didier Stevens blog at the following location (here).
In Windows 7 they've significantly reduced the amount as you can see below in the comparison. Many of the following are self explanatory and I won't be going into each for this particular tutorial.

 Windows 7  
 UEME_RUNPATH  
 UEME_CTLCUACount:ctor  
 UEME_CTLSESSION  
 UEME_RUNPIDL  
 UEME_RUN  
 XP DLL (version 6.00.2900.3157):  
 UEME_CTLCUACount:ctor  
 UEME_CTLSESSION  
 UEME_DBSLEEP  
 UEME_DBTRACE  
 UEME_DBTRACEA  
 UEME_DBTRACEW  
 UEME_DONECANCEL  
 UEME_DONEFAIL  
 UEME_DONEOK  
 UEME_ERROR  
 UEME_ERRORA  
 UEME_ERRORW  
 UEME_INSTRBROWSER  
 UEME_RUN  
 UEME_RUNCPLA  
 UEME_RUNCPLW  
 UEME_RUNINVOKE  
 UEME_RUNOLECMD  
 UEME_RUNPATHA  
 UEME_RUNPATHW  
 UEME_RUNPIDL  
 UEME_RUNWMCMD  
 UEME_UIHOTKEY  
 UEME_UIMENU  
 UEME_UIQCUT  
 UEME_UISCUT  
 UEME_UITOOLBAR  
 UEME_USER  

So lets try to generate some of our own values and see how that shows within the output of RegRipper. To get started I began by running 'procexp.exe' from the system internals suite. I picked this application because it was GUI based and it would be easy for me to copy it to different locations on my computer. I'd then once again use a combination of HoboCopy (to rip my active registry hive) and RegRipper to rip the userassist registry key and examine the contents. I ran procexp.exe in four different places which were Desktop, root of my username folder, Documents and finally from within the x64 Program Files location.

I  ran the following command for HoboCopy

 HoboCopy.exe c:\Users\username c:\tmp\ ntuser.dat  

Then the following for RegRipper

 rip.exe -r c:\tmp\ntuser.dat -p userassist2 > c:\tmp\userassist.txt  

The above commands produced the following output

 Thu Dec 27 07:31:20 2012 Z  
  {6D809377-6AF0-444B-8957-A3773F02200E}\procexp.exe (1)  
 Thu Dec 27 07:30:57 2012 Z  
  C:\Users\username\Documents\procexp.exe (1)  
 Thu Dec 27 07:30:37 2012 Z  
  C:\Users\username\procexp.exe (1)  
 Thu Dec 27 07:30:11 2012 Z  
  C:\Users\username\Desktop\procexp.exe (1)  


As you can see from above most of them make sense apart from the one where we ran from within our x64 Program Files. I grabbed the code highlighted in red and Googled the code. I found the following Microsoft site which explained each of the codes.

http://msdn.microsoft.com/en-us/library/bb882665.aspx

If you don't want to use the list I've posted above you can also do a find from within regedit and that will also find the code.





I decoded some of the values that I had listed in my output and placed them in the categories identified in the Microsoft article

  System  
   1AC14E77-02E7-4E5D-B744-2EB1AE5198B7  
           {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\NOTEPAD.EXE (19)  
           {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe (5)  
  Windows  
   F38BF404-1D43-42F2-9305-67DE0B28FC23  
           {F38BF404-1D43-42F2-9305-67DE0B28FC23}\regedit.exe (1)  
  ProgramFilesX86  
   7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E  
           {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Notepad++\notepad++.exe (1)  
           {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office12\OUTLOOK.EXE (11)  

Hopefully I've explained the artifact and you can take a better understanding away. This artifact has had countless articles written about it and the importance to your investigations. If you're not reviewing it then you should get started with it and make sure its part of all your investigations.

Below are some key references that I've found while researching this artifact and you might find some value.

[1] http://ad-pdf.s3.amazonaws.com/UserAssist%20Registry%20Key%209-8-08.pdf
[2] http://www.eptuners.com/forensics/contents/A_Forensic_Examination_of_the_Windows_Registry_DETAILED.pdf
[3] http://blog.didierstevens.com/programs/userassist/
[4] http://windowsir.blogspot.com.au/2007/09/more-on-userassist-keys.html
[5] http://msdn.microsoft.com/en-us/library/bb882665.aspx
[6] http://blog.didierstevens.com/2006/08/04/update-userassist-utility/
[7] http://blog.didierstevens.com/category/reverse-engineering/page/2/

2 comments:

  1. Within the current distribution of RegRipper plugins, all you need to use is the userassist.pl plugin...

    ReplyDelete
    Replies
    1. Thanks Harlan, yes the version of RegRipper used above was not the latest distribution.

      Delete