PURPOSE
Use BigFix to search the enterprise for malware.
- Run the BigFix Queries
- Run the Python Script to Deduplicate and Count BigFix results
- Investigate hits and add filters to Python Script
- Rinse and Repeat
- Run another Python Script to show computer names and infections
1. Run the BigFix Queries
HKEY_LOCAL_MACHINE Run Key
if exists (keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of registry) then ((name of it & ", " & it as string) of values whose (name of it != "") of (keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of registry)) else "HKLM Run Key does not exist."
Output Example:
VMware Tools, "C:\Program Files\VMware\VMware Tools\VMwareTray.exe"
HKEY_CURRENT_USER Run Key
if exists ((logged on user whose (active of it))) then (if (exists keys
"Software\Microsoft\Windows\CurrentVersion\Run" of current user keys (logged on user whose (active of it)) of registry) then ((name of it & ", " & it as string) of values whose (name of it != "") of (keys "Software\Microsoft\Windows\CurrentVersion\Run" of current user keys (logged on user whose (active of it)) of registry)) else ("HKCU Run key does not exist.")) else ("No user is logged on to this box.")
Output Example:
ctfmon.exe, "C:\WINDOWS\system32\ctfmon.exe"
HKEY_LOCAL_MACHINE Active Setup
if exists (keys "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" of registry) then (((name of it, it) of values whose (name of it contains "StubPath") of (it;keys of it) of key "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" of registry) as string) else ("HKLM Installed Components Key does not exist")
Output:
StubPath, C:\WINDOWS\system32\malware.exe
HKEY_CURRENT_USER Active Setup
if exists ((logged on user whose (active of it))) then (if exists (keys "SOFTWARE\Microsoft\Active Setup\Installed Components" of current user keys (logged on user whose (active of it)) of registry) then (((names of it, (name of it, it) of values of it) of (it; keys of it) of keys "SOFTWARE\Microsoft\Active Setup\Installed Components" of current user keys (logged on user whose (active of it)) of registry) as string) else ("HKCU Installed Components key does not exist.")) else ("No user is logged on to this box.")
HKEY_LOCAL_MACHINE Winlogon userinit.exe
if exists (key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" of registry) then (((name of it, it) of values whose (name of it as lowercase contains "userinit") of key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" of registry) as string) else "Winlogon Key does not exist."
Output:
Userinit, ( C:\WINDOWS\system32\userinit.exe, C:\Temp\malware.exe )
2. Run the Python Script to Deduplicate and Count BigFix results
import re
from sets import Set
f = open('name_of_data_file.txt', 'r')
data = f.read()
f.close()
def RemoveUnwantedData(fdata):
fdata = fdata.replace("qttask.exe", "") #Apple's Quick Time Tray Icon
fdata = fdata.replace("groovemonitor.exe", "") #Microsoft Groove
fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\Acrotray.exe", "") #Adobe
fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe", "") #Adobe
fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 9.0\\Acrobat\\Acrotray.exe", "") #Adobe
fdata = fdata.replace("", "") #Entry next file you want to remove from your data here
fdata = fdata.replace("", "") #This list can get super long but Python will get through it quick
fdata = fdata.replace("", "") #
fdata = fdata.replace("", "") #
return fdata
def DeDuplicateAndCountHits(dupedList):
uniqueSet = Set(item for item in dupedList) #Deduplicate a List
return [(item, dupedList.count(item)) for item in uniqueSet] #Count the number deduplicated
data = RemoveUnwantedData(data)
match = re.findall(r'C:\\.+?\.exe[^\][^\n]{1}', data) #Final files starting with C:\ and ending with .exe
count = DeDuplicateAndCountHits(match)
f2 = open('Data_Results.csv', 'w')
for item in count:
print >> f2, item
f2.close()
#Output:
#<Location of Infection>, <Hit Count>
#C:\WINDOWS\system32\malware.exe, 5
#This means you have 5 computer with this infection
#To find the computer names run PCNameFilter.And.LocationOfInfection.py
3. Investigate hits and add filters to Python Script
Anything
with a low hit count and found in these folders should be investigated:
(Uploaded to VirusTotal)
C:\Documents
and Settings\<username>\Application Data\malware.exe
C:\Documents
and Settings\<username>\Local Settings\Application Data\malware.exe
C:\WINDOWS\malware.exe
C:\WINDOWS\system32\malware.exe
False-positive
rate:
The really high hit counts are usually legitimate.
4. Rinse and Repeat
The high hit counts will be files you recognize as legitimate.
Filter these out by adding them to the python script.
def RemoveUnwantedData(fdata):
fdata = fdata.replace("<File to be filtered>", "") #Removes the data from your results.
5. Run another Python Script to show computer names and infections
import re
from sets import Set
f = open('name_of_data_file.txt', 'r')
data = f.readlines()
f.close()
def RemoveUnwantedData(fdata):
fdata = fdata.replace("qttask.exe", "") #Apple's Quick Time Tray Icon
fdata = fdata.replace("groovemonitor.exe", "") #Microsoft Groove
fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\Acrotray.exe", "") #Adobe
fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe", "") #Adobe
fdata = fdata.replace("C:\\Program Files\\Adobe\\Acrobat 9.0\\Acrobat\\Acrotray.exe", "") #Adobe
fdata = fdata.replace("", "") #Entry next file you want to remove from your data here
fdata = fdata.replace("", "") #This list can get super long but Python will get through it quick
fdata = fdata.replace("", "") #
fdata = fdata.replace("", "") #
return fdata
f2 = open('PCName.Location.Results.csv', 'w') #Open a file to dump your results
for line in data:
PCName = line.split("|") #The PCName with delimiter of "|". Your data may be different so adjust as necessary
PCName = PCName[0] #Since you split your data the data at PCName[0] will be your computer name
line2 = remove_unwanted_data(line)
matchEXE = re.findall(r'C:\\.+?\.exe[^\][^\n]{1}', line2) #Find all files with extension .exe
for line3 in matchEXE:
if ".exe" in line3:
print >> f2, PCName, ",", line3
f2.close()
#Output:
#<ComputerName>, <Location of infection>
#PCName, C:\WINDOWS\system32\malware.exe
BONUS: Delete Malware Registry key using BigFix
Relevance:
if exists (keys "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{GUID}" of registry) then (((name of it, it) of values whose (name of it as lowercase contains "stubpath") of (it;keys of it) of key "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{GUID}" of registry) as string) else ("Key does not exist.")
Action:
// These two delete lines are included in case regdel.reg already exists.
// It's to avoid rare errors, but mostly not necessary.
delete __appendfile
delete regdel.reg
// Append the next two lines to a file called "__appendfile" with this information.
//There is an extra "{" in "{{" due to this being an escape character in actionScript.
appendfile Windows Registry Editor Version 5.00
appendfile [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{{GUID}]
// rename the "__appendfile" to "regdel.reg"
move __appendfile regdel.reg
// run "regedit /s" that is the command to import into the registry and feed it the file regdel.reg.
wait regedit /s regdel.reg
NOTES
it = A reference to the closest direct object or ‘whose’ clause.
BES 7.0 to allow logged in users to be properly handled. A new inspector "logged on user" was introduced with some properties, for instance:
q: (name of it, active of it, remote of it) of logged on users
a: ben, True, True
The BES Client runs as the LOCAL SYSTEM account and so its HKEY_CURRENT_USER branch does not match the logged in user’s branch. However, it is still possible to get the logged in user’s HKEY_CURRENT_USER branch of HKEY_USERS by searching through the Logon keys for the name of the current user:
q: name of key whose ((it = name of current user as lowercase OR it starts with name of current user as lowercase & "@") of (it as string as lowercase) of value "Logon User Name" of key "Software\Microsoft\Windows\CurrentVersion\Explorer" of it) of key "HKEY_USERS" of registry
a: S-1-5-21-1214450339-2025729265-839522115-1013
DOCS
http://support.bigfix.com/fixlet/documents/Windows%20Inspectors%2080_101123.pdf
http://forum.bigfix.com/viewtopic.php?id=7428
http://support.bigfix.com/fixlet/documents/BES_Relevance_Language_Reference_60_2006-11-03.pdf
http://support.bigfix.com/fixlet/documents/WinActions-2007-09-08.pdf
