Use-cases

The use-cases presented here can be used as a source of inspiration and as a quick reference on how to tackle specific challenges you might encounter during your investigations.

Note

Consider this page as a constant WIP. This page will continuously be updated with new use-cases as we or the community document them.

We also appreciate your help! If you have a new use-case, feel free to contact us or create a pull request on GitHub.

Finally, for the use-cases written out below the environment as described in First steps is assumed.

target-query

Creating a simple CMDB

As explained in target-query, you can create a CMDB using target-query. Simply use the --cmdb argument, while using the basic OS functions. You can write this to a csv file to archive your CMDB.

$ target-query targets/ -f hostname,domain,os,version,ips --cmdb -d ";" > docs/CMDB.csv

Pushing query results to a search platform

Let’s parse all the Windows event logs using the evt and the evtx function and get them in a JSON format. Since both functions output their results as records, we can use rdump to obtain a prettified JSON output with the -j argument, or a more compact JSON output with -J.

$ target-query targets/ -f evt,evtx -q | rdump -j
[...]
{
    "hostname": "N-1A9ODN6ZXK4LQ",
    "domain": null,
    "ts": "2004-08-19T22:20:40.000000",
    "TimeGenerated": "2004-08-19T22:20:40.000000",
    "TimeWritten": "2004-08-19T22:20:40.000000",
    "SourceName": "LoadPerf",
    "EventID": 1073742824,
    "EventCode": 1000,
    "EventFacility": 0,
    "EventCustomerFlag": 0,
    "EventSeverity": 1073741824,
    "EventType": 4,
    "EventCategory": 0,
    "Computername": "N-1A9ODN6ZXK4LQ",
    "UserSid": null,
    "Strings": [
        "RSVP",
        "QoS RSVP"
    ],
    "Data": "DBQAAA==",
    "_source": "/home/dev/Documents/hacking_case/4Dell Latitude CPi.E01",
    "_classification": null,
    "_generated": "2022-07-13T11:42:20.621391",
    "_version": 1,
    "_type": "record",
    "_recorddescriptor": [
        "filesystem/windows/evt",
        3573162258
    ]
}
[...]

Note that the code block above gives an example of how this data comes through in the console and does not represent the full output (indicated with [...]).

In a lot of cases, you want to push this data to some sort of search platform. To demonstrate this functionality here, we pipe the output to nc and stream it to localhost on port 1337.

$ target-query targets/ -f evt,evtx -q | rdump -j | nc localhost 1337

In another terminal we listen to any data coming in on port 1337, resulting in receiving the data in the same JSON format.

$ nc -l 1337
[...]
{
    "hostname": "N-1A9ODN6ZXK4LQ",
    "domain": null,
    "ts": "2004-08-19T22:20:40.000000",
    "TimeGenerated": "2004-08-19T22:20:40.000000",
    "TimeWritten": "2004-08-19T22:20:40.000000",
    "SourceName": "LoadPerf",
    "EventID": 1073742824,
    "EventCode": 1000,
    "EventFacility": 0,
    "EventCustomerFlag": 0,
    "EventSeverity": 1073741824,
    "EventType": 4,
    "EventCategory": 0,
    "Computername": "N-1A9ODN6ZXK4LQ",
    "UserSid": null,
    "Strings": [
        "RSVP",
        "QoS RSVP"
    ],
    "Data": "DBQAAA==",
    "_source": "/home/dev/Documents/hacking_case/4Dell Latitude CPi.E01",
    "_classification": null,
    "_generated": "2022-07-13T11:42:20.621391",
    "_version": 1,
    "_type": "record",
    "_recorddescriptor": [
        "filesystem/windows/evt",
        3573162258
    ]
}
[...]

Luckily, you don’t have to reinvent the wheel when pushing data to well-known search platforms, such as Splunk or Elasticsearch. rdump can make use of its dedicated adapters for these search platforms.

Let’s take a look at Splunk for example. For this, we use the -w argument for rdump and invoke the Splunk adapter with splunk://localhost:1337.

$ target-query targets/ -f evt,evtx -q | rdump -w splunk://localhost:1337

For demonstration purposes, we again listen in another terminal to port 1337 with nc to see the result coming in.

$ nc -l 1337
[...]
type="filesystem/windows/evt" rdtag=None hostname="N-1A9ODN6ZXK4LQ" domain=None ts="2004-08-19 22:20:40" TimeGenerated="2004-08-19 22:20:40" TimeWritten="2004-08-19 22:20:40" SourceName="LoadPerf" EventID="1073742824" EventCode="1000" EventFacility="0" EventCustomerFlag="0" EventSeverity="1073741824" EventType="4" EventCategory="0" Computername="N-1A9ODN6ZXK4LQ" UserSid=None Strings="['RSVP', 'QoS RSVP']" Data="DBQAAA=="
[...]

As you can see, these results are Splunk compatible and will allow the records to be imported into your Splunk instance.

Timeline of records

target-query functions that have a record with the fiedltype datetime are outputed in a single record. As shown below with the function mft:

$ target-query -f mft -t targets/EXAMPLE.tar --limit 1 | rdump
<filesystem/ntfs/mft/std hostname='MSEDGEWIN10' domain=None creation_time=2019-03-19 21:52:25.169411+00:00 last_modification_time=2019-03-19 21:52:25.169411+00:00 last_change_time=2019-03-19 21:52:25.169411+00:00 last_access_time=2019-03-19 21:52:25.169411+00:00 segment=0 path='c:/$MFT' owner='S-1-5-18' filesize=0.12 GB resident=False inuse=True volume_uuid=None>

Using rdump with the argument --multi-timestamp outputs multiple ts enriched records based on the datetime fields of the original record.

$ target-query -f mft -t targets/EXAMPLE.tar --limit 1 | rdump --multi-timestamp
[reading from stdin]
<filesystem/ntfs/mft/std ts=2019-03-19 21:52:25.169411 ts_description='creation_time' hostname='MSEDGEWIN10' domain=None creation_time=2019-03-19 21:52:25.169411 last_modification_time=2019-03-19 21:52:25.169411 last_change_time=2019-03-19 21:52:25.169411 last_access_time=2019-03-19 21:52:25.169411 segment=0 path='c:/$MFT' owner='S-1-5-18' filesize=0.12 GB resident=False inuse=True volume_uuid=None>
<filesystem/ntfs/mft/std ts=2019-03-19 21:52:25.169411 ts_description='last_modification_time' hostname='MSEDGEWIN10' domain=None creation_time=2019-03-19 21:52:25.169411 last_modification_time=2019-03-19 21:52:25.169411 last_change_time=2019-03-19 21:52:25.169411 last_access_time=2019-03-19 21:52:25.169411 segment=0 path='c:/$MFT' owner='S-1-5-18' filesize=0.12 GB resident=False inuse=True volume_uuid=None>
<filesystem/ntfs/mft/std ts=2019-03-19 21:52:25.169411 ts_description='last_change_time' hostname='MSEDGEWIN10' domain=None creation_time=2019-03-19 21:52:25.169411 last_modification_time=2019-03-19 21:52:25.169411 last_change_time=2019-03-19 21:52:25.169411 last_access_time=2019-03-19 21:52:25.169411 segment=0 path='c:/$MFT' owner='S-1-5-18' filesize=0.12 GB resident=False inuse=True volume_uuid=None>
<filesystem/ntfs/mft/std ts=2019-03-19 21:52:25.169411 ts_description='last_access_time' hostname='MSEDGEWIN10' domain=None creation_time=2019-03-19 21:52:25.169411 last_modification_time=2019-03-19 21:52:25.169411 last_change_time=2019-03-19 21:52:25.169411 last_access_time=2019-03-19 21:52:25.169411 segment=0 path='c:/$MFT' owner='S-1-5-18' filesize=0.12 GB resident=False inuse=True volume_uuid=None>

This makes it possible to output a timeline of records that can be analyzed in applications like Elasticsearch (-w elastic://), Timesketch (--jsonlines) or Timeline Explorer (--csv) using rdump. This application needs a single datetime field on which can be filtered to view records in chronological order.

Filtering function output using target-query and rdump

Using rdump it is also possible to filter the output you generate when using target-query. Below you will find two simple use-cases on how to filter output.

Using the rdump filter defined below, you can filter the output from the mft function to just show the malicious random_01.dll dll.

$ target-query -f mft targets/MSEDGEWIN10.tar | rdump -s 'r.path.filename == "random_01.dll"'
<filesystem/ntfs/mft/std hostname='MSEDGEWIN10' domain=None creation_time=2021-02-09 07:36:23.757454 last_modification_time=2021-01-22 10:01:00 last_change_time=2021-02-08 17:42:46.283194 last_access_time=2021-02-09 07:36:23.771214 segment=918 path='c:/Users/Default/Downloads/random_01.dll' owner='S-1-5-32-544' filesize=3.28 MB resident=False inuse=True volume_uuid='3fa6fe91-916a-4c89-ab18-cd58de1c8fab'>
<filesystem/ntfs/mft/filename hostname='MSEDGEWIN10' domain=None creation_time=2021-02-09 07:36:23.757454 last_modification_time=2021-02-09 07:36:23.757454 last_change_time=2021-02-09 07:36:23.757454 last_access_time=2021-02-09 07:36:23.757454 filename_index=1 segment=918 path='c:/Users/Default/Downloads/random_01.dll' owner='S-1-5-32-544' filesize=3.28 MB resident=False inuse=True ads=False volume_uuid='3fa6fe91-916a-4c89-ab18-cd58de1c8fab'>

You can filter the output of other functions like evtx as well. By combining multiple filters we can filter on remote interactive login events, namely EventID == 4624 and LogonType == "10". Then we format the data how we want and sort it to get a chronological overview of remote interactive logins!

$ target-query targets/MSEDGEWIN10.tar -f evtx | rdump -s 'r.EventID == 4624 and r.LogonType == "10"' -f '{ts} - {TargetUserSid} {TargetDomainName}\\{TargetUserName}' | sort
[...]
2021-06-02 - 13:37:26.628687 S-1-5-21-418967180-7773086473-4073416957-500 MSEDGEWIN10\\Administrator
[...]

It is possible to create even more elaborate filters using rdump. For a complete overview please refer to the rdump documentation.

target-fs

Hashing a file using target-fs

Hashing a file from a target using target-fs is pretty simple. All you have to do is supply the target, the cat sub-command and the path to the file within the target. The binary contents will now be printed to stdout. By piping it to sha256sum you can create a checksum for easy comparison or check it in your hash database of choice.

$ target-fs targets/MSEDGEWIN10.tar cat "C:\Windows\System32\Drivers\null.sys" | sha256sum
32c714dd5588e5cdacc6980044d2a66a28c42b0d5208ac2ffbac5d64be95568  -

target-reg

Listing subkeys of a specific registry key and outputing their contents using target-reg

Listing the available subkeys of a specific registry key pretty easy using target-reg. You can do so by following the example below.

$ target-reg targets/MSEDGEWIN10.tar -k "HKLM\\SYSTEM\\CURRENTCONTROLSET\\ENUM\\USB\\VID_0E0F&PID_0003&MI_00"
+ 'VID_0E0F&PID_0003&MI_00' (2020-12-09 12:06:15.867247+00:00)
  + '7&3ae26960&0&0000' (2022-08-17 10:56:49.798122+00:00)
      - 'DeviceDesc' '@input.inf,%hid.devicedesc%;USB Input Device'
      - 'LocationInformation' '000b.0000.0000.005.000.000.000.000.000'
      - 'Capabilities' 128
      - 'Address' 5
      - 'ContainerID' '{ee33e11a-3a16-11eb-bde6-806e6f6e6963}'
      - 'HardwareID' ['USB\\VID_0E0F&PID_0003&REV_0102&MI_00', 'USB\\VID_0E0F&PID_0003&MI_00']
      - 'CompatibleIDs' ['USB\\Class_03&SubClass_00&Prot_00', 'USB\\Class_03&SubClass_00', 'USB\\Class_03']
      - 'ClassGUID' '{745a17a0-74d3-11d0-b6fe-00a0c90f57da}'
      - 'Service' 'HidUsb'
      - 'Driver' '{745a17a0-74d3-11d0-b6fe-00a0c90f57da}\\0000'
      - 'Mfg' '@input.inf,%stdmfg%;(Standard system devices)'
      - 'ConfigFlags' 0
      - 'ParentIdPrefix' '8&367bfb7c&0'

Note that the + in the output above indicates a registry key and the - indicates a registry value.

Knowing this, we can output the contents of the key value ClassGUID, under the registry key 7&3ae26960&0&0000 to stdout by using the following command:

$ target-reg targets/MSEDGEWIN10.tar -k "HKLM\\SYSTEM\\CURRENTCONTROLSET\\ENUM\\USB\\VID_0E0F&PID_0003&MI_00\\7&3ae26960&0&0000" -kv "ClassGUID"
<RegfValue Driver='{745a17a0-74d3-11d0-b6fe-00a0c90f57da}\\0000'>