1.08 - Initial Public Release

InvalidWaldo · InvalidWaldo · commit 4f0376d817af · 2021-06-28T10:52:30.000Z
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,5 @@
+FLAIR/
+Research/
+*.inf
+*.rpt
+~$*.*
diff --git a/FLAIR.cmd b/FLAIR.cmd
diff --git a/LICENSE b/LICENSE
diff --git a/MakeFlare.cmd b/MakeFlare.cmd
@@ -0,0 +1,48 @@
+@echo off
+REM 
+REM ## Filename    | MakeFlare
+REM 
+REM ## Author      | Alan Melia (F-Secure)
+REM 
+REM ## Description | Perform collection of transient data for later analysis
+REM 
+for /f "tokens=1-4" %%a in ( Versions.md ) do if "%%b" NEQ "|" SET V_BLD=%%b
+echo FLAIR_%V_BLD%
+
+ECHO .OPTION EXPLICIT ; Generate errors  >"FLAIR.ddf"
+ECHO .Set DiskLabel1="F-Secure FLAIR %V_BLD%" >>"FLAIR.ddf"
+ECHO .Set CabinetNameTemplate="FLAIR_%V_BLD%.cab" >>"FLAIR.ddf"
+ECHO .Set RptFileName="FLAIR_%V_BLD%.rpt" >>"FLAIR.ddf"
+ECHO .Set InfFileName="FLAIR_%V_BLD%.inf" >>"FLAIR.ddf"
+ECHO .Set CompressionType="LZX" >>"FLAIR.ddf"
+ECHO .Set UniqueFiles="ON" >>"FLAIR.ddf"
+ECHO .Set Cabinet="ON" >>"FLAIR.ddf"
+ECHO .Set CabinetFileCountThreshold=0 >>"FLAIR.ddf"
+ECHO .Set FolderFileCountThreshold=0 >>"FLAIR.ddf"
+ECHO .Set FolderSizeThreshold=0 >>"FLAIR.ddf"
+ECHO .Set MaxCabinetSize=0 >>"FLAIR.ddf"
+ECHO .Set MaxDiskFileCount=0 >>"FLAIR.ddf"
+ECHO .Set MaxDiskSize=CDROM >>"FLAIR.ddf"
+ECHO .set DestinationDir="FLAIR" >>"FLAIR.ddf" 
+ECHO .set DiskDirectoryTemplate="FLAIR" >>"FLAIR.ddf"
+ECHO .new Folder >>"FLAIR.ddf"
+ECHO ".\FLAIR.ddf" >>"FLAIR.ddf" 
+REM =====================================================================================
+ECHO ".\FLAIR.cmd" >>"FLAIR.ddf"
+ECHO ".\ReadMe.md" >>"FLAIR.ddf"
+REM =====================================================================================
+REM Now add the Utils subfolders
+REM =====================================================================================
+ECHO Adding "Utils"
+ECHO .set DestinationDir="FLAIR\Utils" >>"FLAIR.ddf" 
+ECHO .new Folder >>"FLAIR.ddf"
+for /f "delims=@" %%a in (' dir /a:-d /b ".\Utils\*.*"') do (
+	ECHO ".\Utils\%%a" >>"FLAIR.ddf"
+)
+REM =====================================================================================
+REM Make the CAB
+REM =====================================================================================
+makecab.exe /f "FLAIR.ddf"
+
+copy /b "%windir%\system32\extrac32.exe"+"FLAIR_%V_BLD%.cab" "FLAIR_%V_BLD%.exe"
+del /q /f "FLAIR_%V_BLD%.cab"
diff --git a/Readme.md b/Readme.md
@@ -0,0 +1,23 @@
+# F-Secure Lightweight Acquisition for Incident Response (FLAIR)
+
+This document describes the purpose and basic operation of the FLAIR acquisition script.
+
+## Purpose
+
+During the investigation of incidents on a client estate, there are occasions where there is no EDR deployed which the IR team can collect artefacts across the client estate. FLAIR was created to perform the semi-automated acquisition of several key artefacts from a host.
+FLAIR bridges the gap between the deep level of data available from a full forensic image of the host and the more targeted and interactive approach offered by EDR solutions.
+
+## Design
+
+FLAIR was created based on the following principles:
+
+* As far as practical, only use tooling native to Microsoft Windows systems. i.e. Only programs 'built-in' to the OS
+* No 3rd party programs. i.e. only Microsoft signed executables will reduce the impact on running the acquisition on sensitive client sites.
+* Batch file operation for maximum compatibility and minimum dependencies.
+* Windows XP is the minimum platform version to allow for collections to take place on systems which are out-of-support. (i.e. IoT/ICS envorinments)
+
+## Operation
+
+Execute the 'FLAIR.cmd' from either an external storage device (i.e. a USB drive) or a mapped network drive.
+
+Processing can take over 20 minutes to process and as a lot of files are created/examined the duration has been observed as taking over an hour especially when AV is active.
diff --git a/Utils/DiskShadow.txt b/Utils/DiskShadow.txt
@@ -0,0 +1,3 @@
+list shadows all
+list providers
+list writers detailed
diff --git a/Utils/EventLogs.txt b/Utils/EventLogs.txt
@@ -0,0 +1,16 @@
+System
+Application
+Security
+Powershell
+Windows Powershell
+Microsoft-Windows-PowerShell/Admin
+Microsoft-Windows-PowerShell/Operational
+Microsoft-Windows-Windows Defender/Operational
+Symantec Endpoint Protection Client
+Microsoft-Windows-RemoteApp and Desktop Connections/Operational
+Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
+Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
+Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
+Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+Microsoft-Windows-WMI-Activity/Operational
+MSExchange Management
diff --git a/Utils/Get_Files.txt b/Utils/Get_Files.txt
@@ -0,0 +1,51 @@
+Malware %SystemRoot%\Cursors\*.exe
+Malware %SystemRoot%\Cursors\*.dll
+WMI %SystemRoot%\system32\wbem\Repository\FS\OBJECTS.DATA
+WMI %SystemRoot%\system32\wbem\Repository\OBJECTS.DATA
+Defender %temp%\DiagOutputDir\MPSupportFiles.cab
+Defender %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
+MRT %systemroot%\debug\mrt.log
+MRT %systemroot%\debug\msert.log
+Avast C:\Documents And Settings\All Users\Application Data\Avast Software\Avast\Log\*.*
+Avast %ProgramData%\Avast Software\Avast\Log\*.*
+Avast C:\users\%USERNAME%\Avast Software\Avast\Log\*.*
+Avast %ProgramData%\Avast Software\Avast\Chest\index.xml
+AVG %ProgramData%\AVG\Antivirus\chest\*.*
+AVG %ProgramData%\AVG\Antivirus\report\*.*
+Avira %ProgramData%\Avira\Antivirus\LOGFILES\*.*
+Bitdefender %ProgramData%\Bitdefender\Endpoint Security\Logs\*.*
+ESET C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\*.*
+ESET %ProgramData%\ESET\ESET NOD32 Antivirus\Logs\*.*
+F-Secure %ProgramData%\F-Secure\Log\*.*
+F-Secure C:\users\%USERNAME%\AppData\Local\F-Secure\Log\*.*
+F-Secure %ProgramData%\F-Secure\Antivirus\ScheduledScanReports\*.*
+HitmanPro %ProgramData%\HitmanPro\Logs\*.*
+HitmanPro %ProgramData%\HitmanPro.Alert\Logs\*.*
+HitmanPro %ProgramData%\HitmanPro.Alert\excalibur.db
+Kaspersky %SOYUZAPPDATA%\Quarantine\*.*
+Kaspersky %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Quarantine\*.*
+MalwareBytes %ProgramData%\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-*.xml
+MalwareBytes %ProgramData%\Malwarebytes\MBAMService\logs\mbamservice.log
+MalwareBytes C:\users\%USERNAME%\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs*.*
+McAfee C:\Users\All Users\Application Data\McAfee\DesktopProtection\*.*
+McAfee %ProgramData%\McAfee\DesktopProtection\*.*
+McAfee %ProgramData%\McAfee\Endpoint Security\Logs\*.*
+McAfee %ProgramData%\McAfee\Endpoint Security\Logs_Old\*.*
+McAfee %ProgramData%\Mcafee\VirusScan\*.*
+SentinelOne %ProgramData%\sentinel\logs\*.*
+Sophos C:\Documents and Settings\All Users\Application Data\Sophos\Sophos\Logs\*.*
+Sophos %ProgramData%\Sophos\Sophos\Logs\*.*
+Symantec C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV\*.*
+Symantec %ProgramData%\Symantec\Symantec Endpoint Protection\Data\Logs\*.*
+Symantec C:\users\%USERNAME%\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\*.*
+Symantec C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\*.*
+Symantec %ProgramData%\Symantec\Symantec Endpoint Protection\Data\Quarantine\*.*
+Trend %ProgramData%\Trend Micro\*.*
+Trend %ProgramFiles%\Trend Micro\Security Agent\Report\*.log
+Trend %ProgramFiles%\Trend Micro\Security Agent\ConnLog\*.log
+Trend %ProgramFiles%\Trend Micro\AMSP\report\*.log
+VIPRE %ProgramData%\VIPRE Business Agent\Logs\*.*
+VIPRE C:\users\%USERNAME%\AppData\Roaming\VIPRE Business\*.*
+VIPRE C:\users\%USERNAME%\AppData\Roaming\GFI Software\AntiMalware\Logs\*.*
+VIPRE C:\users\%USERNAME%\AppData\Roaming\Sunbelt Software\AntiMalware\Logs\*.*
+Webroot %ProgramData%\WRData\WRLog.log
diff --git a/Utils/README.md b/Utils/README.md
@@ -0,0 +1,23 @@
+# Tools Used
+
+Below is a list of files that are used within FLAIR along with URL's where they can be obtained.
+
+To acommodate both x86 and x64 platforms, '64' is added to the x64 versions of the program to ensure that the correct version of the file is used on the target.
+
+| Filename        | Origin                                                                                             |
+|-----------------|----------------------------------------------------------------------------------------------------|
+| autorunsc.exe   | <https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns>                                 |
+| autorunsc64.exe |                                                                                                    |
+| handle.exe      | <https://docs.microsoft.com/en-us/sysinternals/downloads/handle>                                   |
+| handle64.exe    |                                                                                                    |
+| Listdlls.exe    | <https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls>                                 |
+| Listdlls64.exe  |                                                                                                    |
+| pipelist.exe    | <https://docs.microsoft.com/en-us/sysinternals/downloads/pipelist>                                 |
+| pipelist64.exe  |                                                                                                    |
+| srvinfo.exe     | This tool is from the Microsoft Windows NT/Windows 2000 Resource Kit. This is no longer in print   |
+|                 |    or supported by Microsoft so please be extremly careful where you obtain a copy of this file.   |
+| tlist.exe       | <https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/tlist>                         |
+| tlist64.exe     |                                                                                                    |
+| LogParser.exe   | <https://www.microsoft.com/download/details.aspx?id=24659>                                         |
+|                 |   This is an x86 only program, old but it still works for the present.                             |
+|                 |   <https://docs.microsoft.com/en-us/iis/troubleshoot/performance-issues/troubleshooting-iis-performance-issues-or-application-errors-using-logparser> |
diff --git a/Utils/diskpart.txt b/Utils/diskpart.txt
@@ -0,0 +1,8 @@
+list disk
+select disk 0
+detail disk
+list volume
+list vdisk
+san
+exit
+
diff --git a/Versions.md b/Versions.md
@@ -0,0 +1,67 @@
+# Versions
+
+=====================================================================================
+
+## Filename     FLAIR
+
+## Author       Alan Melia (F-Secure)
+
+## Description  Perform collection of transient data for later analysis
+
+## Notes and Test Results
+
+Examples of the OS version as recovered from the VER command and stored in %V_OS%
+
+| V_OS | Short   | Full VER output                                  | Test Result                                     |
+|------|---------|--------------------------------------------------|-------------------------------------------------|
+| 40   | NT4     | Windows NT Version 4.0                           |                                                 |
+| 50   | 2K      | Microsoft Windows 2000 [Version 5.00.2195]       |                                                 |
+| 51   | XP      | Microsoft Windows XP [Version 5.1.2600]          |                                                 |
+| 52   | 2003    | Microsoft Windows [Version 5.2.3790]             |                                                 |
+| 60   | Vista   | Microsoft Windows [Version 6.0.6002]             |                                                 |
+| 60   | 2008    | Microsoft Windows [Version 6.0.6002]             |                                                 |
+| 61   | Win7    | Microsoft Windows [Version 6.1.7601]             |                                                 |
+| 62   | Win8    | Microsoft Windows [Version 6.2.9200]             |                                                 |
+| 63   | 2012 R2 | Microsoft Windows [Version 6.3.9600]             |                                                 |
+| 100  | 2016    | Microsoft Windows [Version 10.0.14393]           |                                                 |
+| 100  | Win10   | Microsoft Windows [Version 10.0.18363.1621] etc  |                                                 |
+| 100  | 2019    | Microsoft Windows [Version 10.0.17763.1457] etc  |                                                 |
+| 100  | 2004    | Microsoft Windows [Version 10.0.19041.685] etc   |                                                 |
+
+## History
+
+| Ver  | Date       | Name    | Reason                                                                                |
+|------|------------|---------|---------------------------------------------------------------------------------------|
+| 1.00 | 2021/03/15 | A.Melia | Initial version Derived from previous work and targeted for ProxyLogon investigations |
+|      |            |         | Moved Windows Defender collection to System                                           |
+|      |            |         | Added ProxyLogon .aspx capture                                                        |
+| 1.01 | 2021/03/15 | A.Melia | Reduced the collection load for ProxyLogon Triage                                     |
+|      |            |         | Limited the number of event logs collected by using EventLogs.txt                     |
+|      |            |         | Collecting key AV logs                                                                |
+|      |            |         | Collecting key mrt.log and msert.log                                                  |
+| 1.02 | 2021/03/22 | A.Melia | Changed 'Hafnium' for 'ProxyLogon'                                                    |
+|      |            |         | Added collection of details from "Temporary ASP.Net Files"                            |
+|      |            |         | Changed LogParser command to ensure output strings are always "quoted"                |
+|      |            |         | Added conditional checks for being run on Exchange Server                             |
+| 1.03 | 2021/03/22 | A.Melia | Added locale independant capture of TimeZone information                              |
+|      |            |         | Added supp0rt.aspx collection for ProxyLogon to Get_Files                             |
+|      |            |         | Added -t to Autoruns to avoid local timezone issues                                   |
+|      |            |         | Fixed an issue with parsing the ExchangePath                                          |
+|      |            |         | Relocated file collection to allow for ExchangePath use                               |
+|      |            |         | Added files identified from Microsoft's latest list to the collection                 |
+| 1.04 | 2021/03/22 | A.Melia | Added check for "Download failed and temporary file" in Exchange logs                 |
+|      |            |         | Collect data from all 'temp' folders inside ExchangePath                             |
+|      | 2021/03/30 | A.Melia | Changed syntax for 'pnputil' so it works on 2012 and later                            |
+|      |            |         | Made sure that Environment variables are properly quoted in CSV                       |
+|      |            |         | Added a collection log entry for all event logs                                       |
+|      |            |         | Changed the make process to create a Relay friendly named file                        |
+|      |            |         | Fixed typo in event log collection                                                    |
+|      |            |         | Changed absolute to relative references for config files to avoid folder issues       |
+|      |            |         | Added additional info to aid debugging                                                |
+|      |            |         | Simplified log to only show collected files                                           |
+|      |            |         | Updated IoC_Files from TI                                                             |
+| 1.05 | 2021/04/15 | A.Melia | Consolidated the collection using 'Get_Files' and 'IoC_Files' into a single file      |
+| 1.06 | 2021/06/11 | A.Melia | Removed removed general "Proxylogon" aspx file grab                                   |
+| 1.07 | 2021/06/22 | A.Melia | Revised OS version check logic                                                        |
+|      |            |         | Added cab filename to closing window title                                            |
+| 1.08 | 2021/06/24 | A.Melia | Added "System: Certificate data" based on conversation with Johann                    |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +FLAIR/
 +Research/
 +*.inf
 +*.rpt
 +~$*.*
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+list shadows all`
	`2`	`+list providers`
	`3`	`+list writers detailed`