-
Notifications
You must be signed in to change notification settings - Fork 269
SRUM Analysis
The information listed below is the result of a research project about the inner workings of SRUM, presented at the SANS DFIR Summit Europe 2023 on October 1, 2023. A WithSecure Labs article will soon be published containing more information about it. The research was conducted by members of the incident response team at WithSecure: Catarina de Faria Cristas, Lucas Echard and Diego Fuschini.
In recent versions of Windows, SRUM no longer uses the registry to store temporarily database records. Nowadays, SRUM relies on 2 types of storage:
- A Tier1 store, which is in memory and is updated every Tier1Period (60 seconds by default) with the data from the SRUM extensions.
- A Tier2 store, which is the SRUM database on disk and is updated every Tier2Period (1 hour by default) with the content of the Tier1 store.
The retention period in the SRUM database is 60 days by default. It becomes 5 years for long term tables, i.e., tables ending with "}LT".
The SRUM parser will output a table (c.f. Chainsaw's output below) containing details about the database, including:
- the DLL associated with each SRUM extension,
- the timeframe of the data for each table,
- and the expected retention time.
$ ./chainsaw analyse srum --software ./SOFTWARE ./SRUDB.dat -o ./output.json
██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗
██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║
██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝
╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝
By WithSecure Countercept (@FranticTyping, @AlexKornitzer)
[+] ESE database file loaded from "/home/user/Documents/SRUDB.dat"
[+] Parsing the ESE database...
[+] SOFTWARE hive loaded from "/home/user/Documents/SOFTWARE"
[+] Parsing the SOFTWARE registry hive...
[+] Analysing the SRUM database...
[+] Details about the tables related to the SRUM extensions:
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| Table GUID | Table Name | DLL Path | Timeframe of the data | Expected Retention Time |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {5C8CF1C7-7257-4F13-B223-970EF5939312} | App Timeline Provider | %SystemRoot%\System32\eeprov.dll | 2022-03-10 16:34:59 UTC | 7 days |
| | | | 2022-03-10 21:10:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {B6D82AF1-F780-4E17-8077-6CB9AD8A6FC4} | Tagged Energy Provider | %SystemRoot%\System32\eeprov.dll | No records | 3 days |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} | WPN SRUM Provider | %SystemRoot%\System32\wpnsruprov.dll | 2022-03-10 20:09:00 UTC | 60 days |
| | | | 2022-03-10 21:09:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} | Application Resource Usage Provider | %SystemRoot%\System32\appsruprov.dll | 2022-03-10 16:34:59 UTC | 60 days |
| | | | 2022-03-10 21:10:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} | Energy Usage Provider | %SystemRoot%\System32\energyprov.dll | No records | 60 days |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT | Energy Usage Provider (Long Term) | %SystemRoot%\System32\energyprov.dll | No records | 1820 days |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {973F5D5C-1D90-4944-BE8E-24B94231A174} | Windows Network Data Usage Monitor | %SystemRoot%\System32\nduprov.dll | 2022-03-10 16:34:59 UTC | 60 days |
| | | | 2022-03-10 21:10:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F} | vfuprov | %SystemRoot%\System32\vfuprov.dll | 2022-03-10 20:09:00 UTC | 60 days |
| | | | 2022-03-10 21:10:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {DA73FB89-2BEA-4DDC-86B8-6E048C6DA477} | Energy Estimation Provider | %SystemRoot%\System32\eeprov.dll | No records | 7 days |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {DD6636C4-8929-4683-974E-22C046A43763} | Windows Network Connectivity Usage Monitor | %SystemRoot%\System32\ncuprov.dll | 2022-03-10 16:34:59 UTC | 60 days |
| | | | 2022-03-10 21:10:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
[+] SRUM database parsed successfully
[+] Saving output to "/home/user/Documents/output.json"
[+] Saved output to "/home/user/Documents/output.json"
During the research, the following DLLs were investigated and the findings are mentioned below.
- This DLL populates the Network Data Usage Provider table in the SRUM database.
- As a forensic artefact, the information in that table can be used to prove data exfiltration.
- There is continuous monitoring of the network traffic because of the Ndu.sys driver, which relies on the Windows Filtering Platform (WFP). No exceptions were found so if network traffic was generated on a host, it will appear in the Network Data Usage Provider table.
- The bytes in/out available in the table include the size of the frames (from the layer 2 of the OSI model).
- If the network traffic goes through a VPN, then all the bytes in/out will be associated with the VPN process/service.
-
This DLL populates the tables Tagged Energy Provider, Energy Estimation Provider and App Timeline Provider. During the research, we focused on the App Timeline Provider because it can be used to prove execution.
-
App Timeline Provider
- As a forensic artefact, the information in the App Timeline Provider table can be used to prove execution.
- The data in the table is the result of a query to the Windows energy tracker, using the syscall NtPowerInformation(EnergyTrackerQuery, ...), every Tier1Period.
- A process appears in the table if it is running when the Tier1 store is updated.
- The retention period in the SRUM database for that provider is usually 7 days.
- Why Chainsaw?
- How Does Chainsaw Work?
- Sigma Rule Support
- Supporting Additional Rules