Windows.Applications.SBECmd

Execute Eric Zimmerman’s SBECmd and return output for analysis.

SBECmd is a CLI for analyzing shellbags data.

Objective:

  • Find which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed.

Interpretation:

  • Stores information about which folders were most recently browsed by the user.

NOTE: Velociraptor can now parse Shellbags natively with the Windows.Forensics.Shellbags artifact.

MITRE ATT&CK ID: TA0009 - Collection


name: Windows.Applications.SBECmd
description: |
    Execute Eric Zimmerman's SBECmd and return output for analysis.

    SBECmd is a CLI for analyzing shellbags data.

    Objective:

    - Find which folders were accessed on the local machine, the
      network, and/or removable devices. Evidence of previously
      existing folders after deletion/overwrite. When certain folders
      were accessed.

    Interpretation:

    - Stores information about which folders were most recently
      browsed by the user.

    NOTE: Velociraptor can now parse Shellbags natively with the
    Windows.Forensics.Shellbags artifact.

    MITRE ATT&CK ID: TA0009 - Collection

author: Eduardo Mattos - @eduardfir

reference:
  - https://github.com/EricZimmerman

type: CLIENT

tools:
  - name: SBECmd
    url: https://github.com/Velocidex/Tools/raw/main/SBECmd/ShellBagsExplorer/SBECmd.exe

precondition: SELECT OS From info() where OS = 'windows'

parameters:
  - name: userRegex
    default: .
    type: regex

  - name: UploadFiles
    description: "Select to Upload SBECmd Output files."
    type: bool

  - name: RemovePayload
    description: "Select to Remove Payload after execution."
    type: bool


sources:
  - query: |
      -- get context on target binary
      LET payload <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
                    ToolName="SBECmd", IsExecutable=TRUE)

      -- build tempfolder for output
      LET tempfolder <= tempdir(remove_last=TRUE)

      -- get users with profiles
      LET UserProfiles = SELECT
         Uid, Name,
         expand(path=Directory) AS HomeDirectory, UUID, Mtime
      FROM Artifact.Windows.Sys.Users()
      WHERE Name =~ userRegex and HomeDirectory =~ "Users"

      -- execute payload
      LET deploy <= SELECT * FROM foreach(row=UserProfiles,
                    query={
                        SELECT *, Name
                        FROM execve(argv=[
                            payload.OSPath[0],
                            "-d", HomeDirectory,
                            "--csv", tempfolder + "\\" + Name,
                            "--dedupe"])
                    })

      -- parse csvs
      SELECT * FROM foreach(row=deploy,
      query={
        SELECT *, Name as UserName
        FROM parse_csv(filename=tempfolder + "\\" + Name + "\\Deduplicated.csv")
      })

  - name: Uploads
    query: |
      SELECT * FROM chain(
      a={
         SELECT * FROM if(
           condition=UploadFiles,
           then={
             SELECT Name, upload(file=OSPath,
                                 name=relpath(base=tempfile, path=OSPath)) as FileDetails
             FROM glob(globs="/**", root=tempfolder)
           })
      },
      b={
         SELECT * FROM if(
           condition=RemovePayload,
           then={
             SELECT * FROM execve(argv=['powershell','Remove-Item',
                                             payload.OSPath[0],'-Force' ])
           })
      })
      WHERE Stdout =~ "SBECmd"