Why Local Deduplication Is the Key to Faster Restores

Tips From the Trenches: Hunting Endpoint Threats at Scale

A big part of “walking the talk” about proactive data security here at Code42 is our “Red Team vs. Blue Team” internal simulations. Today, I’d like to share a few ways I’ve used the Code42 Forensic File Search API to give me completely new threat-hunting capabilities during these exercises.

Endpoint devices are still one of the big blind spots for the modern threat hunter. It’s often nearly impossible to search files on endpoints that are offline or were reimaged due to an incident. This is one reason I’m so excited about the Code42 Forensic File Search API: it doesn’t suffer from this limitation; it truly sees every version of every file on all endpoints, whether online or offline. And since we use our backup product, we also have every file that ever existed.

“ Leveraging Code42 Forensic File Search, I’m able to identify potentially unwanted applications that have slipped past antivirus and other traditional security tools. ”

Locating EXE files in download directories

Leveraging Code42 Forensic File Search, I’m able to identify potentially unwanted applications that have slipped past antivirus and other traditional security tools. To find these previously undetected threats, I’m forwarding output from the Code42 Forensic File Search API (hashes) to the VirusTotal Mass API for further enrichment. Here are some of the high-value searches I’ve used within Code42 Forensic File Search, along with the corresponding JSON files for reproducing the searches in your environment:

  • Search all macro-enabled Word documents
  • Search all DLL files in download directories
  • Search all Dylib files
  • Search all DMG files in download directories

Parameters for customizing FFS search results

Once you have your raw JSON results, here are a few parameters I’ve found useful in customizing Code42 Forensic File Search queries:

  • fileName:The fileName parameter can take a wildcard with a file extension at the end to list all DLL files in this example:   {“operator”:”IS”,”term”:”fileName”,”value”:”*.dll”},
  • filePath:Another useful parameter for searches is the filePath parameter, especially when you are searching for filetypes typically found in specific locations. The example below captures the Windows download directory of all users, as well as all paths below the downloads directory — hence the two wildcards: {“operator”:”IS”,”term”:”filePath”,”value”:”c:/users//Downloads/“}

Hash-check best practice

After you have configured your JSON file, the Code42 Forensic File Search search results should look something like this: 

Python ./ffs_search.py –username –search_type raw –in_file ./hunt.json –out_filter md5 | awk ‘!seen[$0]++’ | tr -d ‘”, []’ | sed ‘/^\s*$/d’

With an output that appears below:

Code42 Security Tips from Trenches Hash-check

Piping the results to awk and tr simply removes duplicate MD5 hashes and cleans up the JSON output, so you avoid the cost of submitting the same MD5 hash to a service like VirusTotal multiple times. Once we have the hashed file results, we can search those hashes across any threat intel or data enrichment tool.

One quick note: The public VirusTotal API key is rate-limited to four queries a minute. I would recommend using a private API key, since searching across hundreds of unique hashes can take quite a long time.

Code42 Security Tips from Trenches Hash-check 2

In our case, we leveraged Virustotal-api-hashcheck to give us a user-friendly view of the hashes we’re seeking. There are many VirusTotal API tools on GitHub and you can use whichever one suits your use case.

Finding malicious files—examining your exposure

In my example, while searching for Excel documents, we uncovered one malicious result that ties back to a document lure that contained a zero-day exploit being used in a targeted attack as discovered by icebrg. You can read more about the specifics of the file on their website.

Code42 Security Tips from the Trenches Hash Analysis 3

I then took the VirusTotal results and searched back in FFS to determine the extent of our exposure. Fortunately, the malicious file was only on two researchers’ systems, and we confirmed that they had been using the file for analysis and demonstration purposes.

Code42 Security Tips from Trenches Forensic File Search

Leveraging Code42 Backup + Restore for file analysis

I’ve also leveraged Code42 to recover unknown files for automated (sandbox) or manual analysis. In the previous example, there was one Excel document that VirusTotal didn’t recognize:

Code42 Security Tips from Trenches Backup Restore

Instead of uploading a potentially sensitive file to VirusTotal, I can do initial triage and analysis by recovering the file with the Code42 application and uploading it to my sandbox analysis tool. Below is a screenshot of the XLSM file running in a sandbox:

Code42 Security Tips from Trenches Virus Total

After doing initial triage and analysis, the file looks safe and not sensitive. At this point, the file could be uploaded to VirusTotal or kept private.

I hope this article has given you a few ideas of how you can use the Code42 Forensic File Search tool to gain powerful new threat-hunting capabilities in defending your organization. Since I first began using the tool, I’ve continually discovered new ways to gain greater visibility in detecting threats. I hope you’re as excited as I am about the current and future ways that security teams can leverage Code42 Forensic File Search internally to enhance security at scale.

Happy threat hunting!

Facebook Twitter Google LinkedIn YouTube