Auscert 2022 NTFS Exercise setup

extended_attributes.ps1

 ### Extended Attribute 

# 1. Download https://github.com/jschicht/EaTools to C:\PerfLogs (this step was run previously if you ran our setup script)
https://github.com/jschicht/EaTools/raw/master/EaInject64.exe
https://github.com/jschicht/EaTools/raw/master/EaQuery64.exe

# 2. Add EA to file
copy C:\Windows\System32\calc.exe C:\PerfLogs\calc.exe
C:\PerfLogs\EaInject64.exe /Payload:C:\PerfLogs\calc.exe /Container:C:\PerfLogs\just_a_file.txt /Mode:0 /Identifier:NOTHINGTOSEEHERE

# Add large file over multiple EAs
C:\PerfLogs\EaInject64.exe /Payload:C:\PerfLogs\psexec64.exe /Container:C:\PerfLogs\just_a_folder /Mode:2 /Identifier:"Split EAs" 

msbuild.yara

rule MSBuild_template {
   meta:
      description = "MSBuild template. Detects MSBuild variable setup and generic template strings."
   strings:
      $s1  = "byte[] key_code = new byte[" ascii
      $s2  = "byte[] buff = new byte[" ascii
      $s8  = "<Code Type=\"Class\" Language=\"cs\">" ascii
      $s9  = "<![CDATA[" ascii
      $s10 = "[DllImport(" ascii
      
   condition:
      ( uint16(0) == 0x3c0a or uint8(0) == 0x3c ) // \n< or < at 0
      and any of ($s*) 
}

setup.ps1

 ### NTFS exercise setup

## 1. download some files to test various content and add ADS to simulate manual download from a browser

$downloads = ( 
    "https://live.sysinternals.com/PsExec64.exe",
    "https://live.sysinternals.com/procdump64.exe",
    "https://live.sysinternals.com/sdelete64.exe",
    "https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe"
)

foreach ( $url in $downloads){
    "Downloading " + $Url
    $file = Split-Path $Url -Leaf
    $dest = "C:\PerfLogs\" +$file
    $ads =  "[ZoneTransfer]`r`nZoneId=3`r`nReferrerUrl=https://18.220.58.123/yolo/`r`nHostUrl=https://18.220.58.123/yolo/" + $file + "`r`n"

    Remove-Item -Path $dest -force -ErrorAction SilentlyContinue
    Invoke-WebRequest -Uri $Url -OutFile $dest -UseBasicParsing
    Set-Content -Path $dest":Zone.Identifier" $ads
}


## 2.Create a PS1 file in staging folder (any text will do but this is powershell extension)
echo "Write-Host ‘this is totally a resident file’" > C:\Perflogs\test.ps1

## 3.Modify shortname on a file
fsutil file setshortname C:\PerfLogs\psexec64.exe fake.exe

## 4. Create a process dumpOpen calculator (calc.exe)
calc.exe ; start-sleep 2
C:\PerfLogs\procdump64.exe -accepteula -ma win32calc C:\PerfLogs\calc.dmp
get-process | where-object { $_.Name -like "*win32calc*" } | Stop-Process

## 5. Create a zip file in staging folder
Compress-Archive -Path C:\PerfLogs\* -DestinationPath C:\PerfLogs\exfil.zip -CompressionLevel Fastest

## 6. Delete dmp,zip and ps1 files - deleted file discovery is important for later!
Remove-Item -Path C:\PerfLogs\*.zip, C:\PerfLogs\*.dmp, C:\PerfLogs\*.ps1 

timestomp.ps1

 # stomp single procdump64
C:\PerfLogs\nTimestomp_v1.2_x64.exe -F C:\Perflogs\procdump64.exe -M "1999-12-31 23:59:59.9999999" -A "1999-12-31 23:59:59.9999999" -C "1999-12-31 23:59:59.9999999" -B "1999-12-31 23:59:59.9999999"

# Timestomp useczero - old tool use case
C:\PerfLogs\nTimestomp_v1.2_x64.exe -F C:\Perflogs\sdelete64.exe -M "1999-12-31 23:59:59.0000000" -A "1999-12-31 23:59:59.0000000" -C "1999-12-31 23:59:59.0000000" -B "1999-12-31 23:59:59.0000000"

# double timestomp - FN stomped
C:\PerfLogs\nTimestomp_v1.2_x64.exe -F c:\Perflogs\exec.exe -M "1999-12-31 23:59:59.9999999" -A "1999-12-31 23:59:59.9999999" -C "1999-12-31 23:59:59.9999999" -B "1999-12-31 23:59:59.9999999"
move c:\Perflogs\exec.exe c:\Windows\Temp\exec.exe
C:\PerfLogs\nTimestomp_v1.2_x64.exe -F c:\exec.exe -M "1999-12-31 23:59:59.9999999" -A "1999-12-31 23:59:59.9999999" -C "1999-12-31 23:59:59.9999999" -B "1999-12-31 23:59:59.9999999"
move c:\Windows\Temp\exec.exe c:\Perflogs\exec.exe
C:\PerfLogs\nTimestomp_v1.2_x64.exe -F c:\Perflogs\exec.exe -M "1999-12-31 23:59:59.9999999" -A "1999-12-31 23:59:59.9999999" -C "1999-12-31 23:59:59.9999999" -B "1999-12-31 23:59:59.9999999"