All your folders belong to us / with a little help from my friends
It has been a long time since I last wrote in english on this blog. The main reason is that I think there are not enough french ressources on Internet regarding APT, malware, incident response, and cybercrime, which are my favorite topics, as you might already know.
I therefore decided to publish in english language only when I thought the post was worth being shared widely.
But let's get right to the point of this post. Working on quite a number of APT cases recently, I noticed that the attackers often dump huge folders to a text file.
From the attacker point of view, it is just executing the "dir /s" command in a cmd shell, which lists folders recursively. The attacker usually redirects the output of the command to a file, doing it this way:
dir /s > 1.txt
The file is stored temporarily until the attacker decides to collect it, and deleted afterwards. The attacker may also not care (or forget) about it and leave it on the file system.
Forensically speaking, the deletion of this file is not a problem, as long as it is not rewritten, it can always be found.
From a detection point of view, it is very interesting to try to find these "folder dumps" on systems, as a possible indicator of compromise.
One has to be careful (as usual in incident response) to check that no legitimate user has generated this dump.
Now, one problem is left to detect these files: the operating system language. If you do incident response only in one country, no problem: usually you only need to check for dump files in your language, and in english (some users, no matter in which country they live, do always use english). Now if you do international incident response, you need to detect more languages.
I created a YARA rule and an IOC rule to detect these dump files in english, french, and german (Hello and thanks to my friend Axel who provided me with german dumps).
These rules should work on english,french,german Windows2000,ME,NT,Server,XP,7,8 systems. I did not check dumps for older systems.
comment="a YARA rule to detect dump files created by APT attackers"
$eng1="Volume in drive" wide ascii nocase
$eng2="Volume serial number" wide ascii nocase
$eng3="Directory of" wide ascii nocase
$eng4="<DIR>" wide ascii nocase
$eng5="File" wide ascii nocase
$fr1="Le volume dans le lecteur" wide ascii nocase
$fr2="du volume est" wide ascii nocase
$fr3="pertoire de" wide ascii nocase
$fr4="<REP>" wide ascii nocase
$fr5="fichier" wide ascii nocase
$de1="Volumeseriennummer" wide ascii nocase
$de2="<DIR>" wide ascii nocase
$de3="verzeichnis von" wide ascii nocase
$de4="Datei" wide ascii nocase
(all of ($eng*)) or (all of ($fr*)) or (all of ($de*))
And here is a link to my IOC file.
And with a little help from my friends, I might be able to update these files with other languages. Please feel free to send me "dir /s" dumps in other languages, I'd gladly integrate it into these detection rules.