The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
Learn about Digital Guardian's new forensic artifact collection tool, DG Wingman, how it came to be, along with powerful tips and tricks.
A little over ten years ago, I recall forming our first incident response team at my prior company and I couldn’t wait to hit the ground running, to find all of the bad guys and clean up the environment that was a cesspool of malware and state-sponsored groups that targeted our intellectual property. This was a problem that we weren’t alone in experiencing; it plagues many organizations whether they know it or not.
I’d often listen in disbelief to other friends in the industry who would describe to me how secure the network was at their company, only later to find out they had been owned for years. Acceptance, which is typically the last stage in any model, was where I started out. I accepted the fact that we weren’t perfect and we had huge gaping holes that needed to be closed. Not to mention that we were facing a clean up effort that was going to be rather extensive.
When it comes to incident response, every responder has their own arsenal of tools they like to leverage for pulling back evidence and forensic artifacts. I tried almost all of them - they were fairly limited back then - but nothing really hit the spot for me. I used to use an enterprise forensic software tool to do this back at my last company but it honestly took FOREVER. Especially when you had to wait for it to ‘Mount $MFT’ in order to even begin working with the device. No thanks. So I came up with a tool I called ‘The Forensicator,’ which was a complete batch script hack that looked as though a toddler wrote it, with spaghetti code everywhere - but honestly it did the job pretty well and was able to increase my efficiency drastically.
Fast forward seven years later, I joined Digital Guardian to develop our Endpoint Detection & Response capabilities and was able to leverage a team of engineers that could do it justice finally! We wrote DG Wingman, a forensic artifact collection tool, to emulate a lot of that functionality and I’m excited to finally be able to release it for FREE to all of you at Black Hat 2019!
Wingman’s primary purpose is its ability to forensically collect and acquire critical artifacts of interest such as the $MFT, Event Logs, Registry, etc. with ease. Additionally, you have the option to execute custom commands as SYSTEM or run a full scan of an endpoint collecting metadata from portable executable files such as hashes, certificates, strings, and more. By default, here is some of the information that can be collected with various command flags:
- System Information
- Named Objects
- Scheduled Tasks
- Active Scan Data
- Open Handles
- Recently Opened/Recently Closed Files
- Static Scan Data
- Binary Attribute / Version Information
- Binary Import/Export Sections
- Digital Certificate Information
- WMI Data
- Network Information
- Event Log Entries
- System Event Log
- Application Event Log
- Security Event Log
- Terminal Services Log
- Registry Hives
- System Hive
- Software Hive
- Security Hive
- SAM Hive
- NTUSER Hives
- Master File Table
- Network Information
- Web History
Running the command wingman.exe /h will provide a help screen of what all is available.
This utility can be easily run locally if for example you have a machine that is not often connected to the network but require evidence from it; or leveraged remotely across the network to pull back evidence for additional analysis. For remote collection, I’d recommend taking the following approach to securely pull back evidence while not exposing your network to additional risk.
Run the below net use command. This will establish an authenticated session between your machine and the device. No interactive logons occur and you won’t be passing your credentials in clear-text which can be possibly seen & harvested by the bad guys.
net use \\192.168.1.2\ipc$ /u:admin *
When prompted, enter the password for the account.
Next, run psexec to execute Wingman on the remote machine and specify an output location. This output location could be on the remote machine or even to a network share where you collect forensic evidence; which would be more ideal. That would eliminate step three but it’s completely up to you. And yes, for the Uber Forensic Nerds I’m fully aware that this method is writing something to disk, but c’mon live a little.
psexec -s -acceptuela \\192.168.1.2 -c wingman.exe -mft -x c:\windows\temp\edr.7z
The Wingman command above will just extract and pull back the Master File Table ($MFT). But feel free to go crazy and pull back as much as you want. My go-to command would be:
wingman.exe -s -r
This will collect all system information, event logs and registry data. You also have the option of creating a custom config of all file locations you’d like to collect. If Wingman doesn’t have a certain file by default (for example all evtx files), you can easily leverage the -capf option for collecting these additional artifacts.
Collect your evidence from the remote device with the command below.
copy \\192.168.1.2\c$\windows\temp\edr.7z c:\windows\temp
And feel free to clean up after yourself for safe housekeeping.
del \\192.168.1.2\c$\windows\temp\edr.7z c:\windows\temp
Boom, evidence collection is done! All evidence acquired is compressed nicely to pull back over the wire so you can go to town and start hunting for mischief. My primary parsing tool of choice is always log2timeline (a.k.a. Plaso); but feel free to leverage whatever tool you want. Example output from Wingman is shown below:
Note: Some quick Tim Tips when running parsing tools: Start off using AnalyzeMFT to first parse the Master File Table. It’s MUCH faster than log2timeline parsing from scratch. Take the output from that tool and transfer it to your evidence directory and remove the $MFT artifact.
analyzeMFT.py -b mft.body -f $MFT –bodyfull
Your evidence folder will now look similar to this:
Next run the psteal utility which comes from the log2timeline Github page. This tool leverages both log2timeline and psort to extract and process the events. I know, confusing right? But ultimately this will generate a .CSV file for you to analyze/manipulate as you see fit. I’ve been using this method almost my entire incident response career and it hasn’t failed me yet! Other IR guys or gals may have different methods of course, but stick with what works best for you.
psteal.exe -o l2tcsv -z UTC --source "C:\evidence_folder " -w swampthing_output.csv
Now back to Wingman. Some more advanced features in the utility include a scanner function which can collect metadata from all portable executable files. The results are returned in JSON format, but you can analyze the data looking for unsigned binaries, suspicious imports/exports, malicious hashes, and more. Below is what the output looks like and may be stored across multiple files.
You can also slice and dice this data in PowerShell pretty easily with the below command as an example.
$content = Get-Content -Path 'C:\yara\staticdata_2019-07-30_08-03_19_807.json' |
ConvertFrom-Json ;$content.OnDiskExecutables | select FilePath, FileSize -
ExpandProperty HashCodes|select FilePath, FileSize, MD5
Since Wingman can acquire the strings from all executables, you can also run local YARA scans on the output looking for any hits. Keep in mind this will be limited primarily to signatures that are looking for indicators associated with strings but I’ve found this to be very effective and efficient as well when locating evil with the YARA tool. Below is an example where we’ve identified a credential dumping program, Mimikatz, along with a Meterpreter binary which is commonly used as a backdoor for command and control.
Wingman is a highly versatile tool that can be used for many scenarios while out in the field. Digital Guardian’s EDR agent has Wingman built directly into it and can be easily called with a right click to acquire forensics or execute custom scripts and commands. If you’re looking to automate your incident response forensic collection process and continuously collect endpoint telemetry, check out Digital Guardian’s EDR offering for more details!
Get DG Wingman now so you won’t fly solo when scoping intrusions.
For any questions, comments, or suggestions in regards to Wingman, please email firstname.lastname@example.org. Thanks!