27 06 2014
Parsing Landesk Registry Entries FTW
I was on a case the other day and I could see the malware dropped, At jobs created (typical), then I went to work on parsing the job files and noticed two of them were pointing to what appeared to be gsec dumper tools dropped into System32. I went back into the MFT and couldn’t find anything. The compromise happened March 2013, so there were no A/V/Application logs (assumed maybe A/V deleted them), nothing in the MFT, etc. BUT…. when I searched for the exe names in the MFT I got some hits. I got hits because I wrapped in the SOFTWARE hive and LANDESK (www.landesk.com) happen to be installed on the system. Before this I had never heard of LANDESK so I did a quick Google. It sounded Interesting.
Then I started digging into the entries in the registry. Here is a quick run down on some of them. I only had two registry hives to play with so consider this a WIP still. I’ll update here if anything changes. I need to get a trial downloaded.
Here is a rough break down of the entries (I noticed there were some options for custom entries – so this can change from system to system.):
amtmon (Hostname and IP Address values). This was only on one of the two hives I looked at so I am not sure if this is optional or what.
I don’t know what the exact requirements, or conditions that need to be met in order for software to get added to this list. Again, i’ve only seen this tool once. There were what appeared to be over 100+ entries though.
In either case, you can see the path to the software.
Key Value (C:/Windows/System32/gsec.exe) = Last Write Time
Last Started (Time value): Last time the program was executed.
First Started (Time value): I’m guessing first time it was seen.
Total Runs (Number): Number of times the application has been run.
Current User (Username): The user account used to execute the software/malware.
Total Duration (Number): Total time application has been run is what it appears to be.
Last Duration (Number): Time elapsed when the application last ran.
User Logons (Username/Time). You can see the value names are actually times. Then the values contain the username of the person that logged in. Where you see groups that also contains what appear to be all of the groups they belong to.
I am still exploring this set of artifacts, but they seem promising. It’s almost like a prefetch file in the registry. I need to get a trial downloaded and Windows Server 2008 R2 installed for more testing.
If you have registry hives or knowledge about this software let me know so I can continue to expand on this here. You can reach me at patrick[dot]olsen[at]sysforensics.org or on Twitter: [at]patrickrolsen.
In the meantime I wrote a python tool for parsing these entries. You can download it here: https://github.com/sysforensics/Landesk-Registry-Entry-Parser It’s a work-in-progress, but functions well enough for you to do some testing. please provide feedback and errors.