Windows.Applications.GoodSync :: Velociraptor

Windows.Applications.GoodSync

This artefact can be used to retrieve and parse some GoodSync file in order to

identify configured Good Sync account;
identify data and time of transfered files.

This artifact have been created to identify potential exfiltrated files using GoodSync tool. You can read more about it on https://www.synacktiv.com/publications/legitimate-exfiltration-tools-summary-and-detection-for-incident-response-and-threat


name: Windows.Applications.GoodSync
author: Nathanaël Ndong, Synacktiv
description: |
   This artefact can be used to retrieve and parse some GoodSync file in order to
   - identify configured Good Sync account;
   - identify data and time of transfered files.
   
   This artifact have been created to identify potential exfiltrated files using GoodSync tool.
   You can read more about it on https://www.synacktiv.com/publications/legitimate-exfiltration-tools-summary-and-detection-for-incident-response-and-threat

type: CLIENT
parameters:
    - name: FileGlob
      default: C:\Users\*\AppData\Local\GoodSync\GoodSync-*

sources:
    - name: sync files
      query: |

        -- Grabs file path of provided file glob
        LET InputLogPath <= SELECT FullPath 
        FROM glob(globs=FileGlob)

        -- Parses file against regex
        LET parse_log <= SELECT
            parse_string_with_regex(
                string=Line,
                regex= '''^(?P<Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s''' + 
                       '''#\d+\s'''+
                       '''(?P<Message>.+?)$''')
                       as Record
                       FROM parse_lines(filename=InputLogPath.FullPath)
                    
        --SELECT * FROM parse_log WHERE Record.Message =~ "Copy New"
        -- Prints matching data where there is an entry in Record.Message  
        LET extract_files(message) =
        parse_string_with_regex(string=message,
            regex=
            '''^(?P<Protocol>\[.+?\])\s''' +
            '''.?''' +
            '''\s?(?P<Operation>Copy\sNew)\s''' +
            '''\'(?P<Source>.+?)\'\s''' +
            '''.+?\s''' +
            '''\'(?P<Destination>.+?)\'\s''' +
            '''\((?P<Byte>.+?)\)'''
            )
        SELECT Record.Date as Date, 
            extract_files(message=Record.Message).Protocol AS Protocol,
            extract_files(message=Record.Message).Operation AS Operation,
            extract_files(message=Record.Message).Source AS Source,
            extract_files(message=Record.Message).Destination AS Destination,
            extract_files(message=Record.Message).Size AS Size
        FROM parse_log
        WHERE Record.Message =~ "Copy New"
 
    - name: good_sync_account
      query: |
      
        LET InputLogPath <= SELECT FullPath 
        FROM glob(globs=FileGlob)

        LET parse_log <= SELECT
            parse_string_with_regex(
                string=Line,
                regex= '''^(?P<Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s''' + 
                       '''#\d+\s'''+
                       '''(?P<Message>.+?)$''')
                       as Record
                       FROM parse_lines(filename=InputLogPath.FullPath)
    
        LET extract_user(message)= parse_string_with_regex(string=message,
            regex='''.+?\s.+?\s.+?\s''' +
            '''UserId=''' +
            '''(?P<UserId>.+?)\s''' +
            '''m_bLicActive=''' +
            '''(?P<Nb_licence>.+?)\s''' +
            '''.+?''' +
            '''(?P<Date_expiration>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s'''+
            '''.+?\s.+?\s.+?''' +
            '''(?P<Date_creation>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s'''
        )   

        --SELECT * FROM parse_log WHERE Record.Message =~ "CheckLicenseViaGsAccount:"  
        SELECT Record.Date as Date,
            extract_user(message=Record.Message).UserId AS GoodSync_Account,
            extract_user(message=Record.Message).Nb_licence AS Active_Licence,
            extract_user(message=Record.Message).Date_expiration AS Licence_Expiration,
            extract_user(message=Record.Message).Date_creation AS Account_Creation
        FROM parse_log
        WHERE Record.Message =~ "CheckLicenseViaGsAccount:"