Script to parse first load time for Shell Extensions loaded by user. Also enumerates all loaded Shell Extensions that are only installed for the Current User.
Python
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
LocalShellExtParse.py
README.md

README.md

LocalShellExtParse

LocalShellExtParse is an "offline" forensics script that will generating a “first loaded” timeline for Shell Extensions and identifying Shell Extensions that are only installed for the current user. This is a useful way to identify malware that is using a Shell Extension as a persistence mechanism.

More information can be found in this blog post: http://herrcore.blogspot.com/2015/06/malware-persistence-with.html

NOTE: Regripper has been updated to detect this persistence mechanism. Full details are here: http://windowsir.blogspot.ca/2015/06/links.html.

Dependencies

The script requires you to have installed Hivex with the the Python bindings (https://github.com/libguestfs/hivex). Hivex is part of the libguestfs suite of tools.

Installation for Linux can be found here: http://libguestfs.org/

If you are using OSX you can use the brew tap here: https://github.com/anarchivist/homebrew-forensics

Data Collection

The script parses entries from the NTUSER.DAT and UsrClass.DAT files. To use the tool you will first need to collect the files from the host that you want to analyze. I prefer FTK Imager (http://accessdata.com/product-download) but any tool that allows you to carve system files will work.

Everyone knows that NTUSER.DAT is located in %userprofile% but UsrClass.DAT may be less well understood. When viewing a live registry under HKEY_CURRENT_USER\Software\ there is a key called “CLSID” that shows all the CLSIDs for the current user. The data for this key is not stored in NTUSER.DAT it’s actually stored in the UsrClass.DAT file located in; %userprofile%\AppData\Local\\Microsoft\Windows\UsrClass.dat

Data Parsing

Once the files have been collected the can be parsed by LocalShellExtParse.py to produce;

  • a timeline of the first time each Shell Extension has been loaded by the user
  • a list of all Shell Extensions that have been loaded by the user and are only installed for that user.

Using The Script

By default the script will attempt to parse out both the first load timeline and the Current User Shell Extensions. If run in this mode both the UsrClass.dat and NTUSER.DAT files must be passed as arguments.

python LocalShellExtParse.py --ntuser NTUSER.DAT --usrclass UsrClass.dat

The script also supports a --cached option that only parses the Shell Extensions' first load times. If run in this mode only the NTUSER.DAT file needs to be supplied.

python LocalShellExtParse.py --cached --ntuser NTUSER.DAT