Wednesday, October 8, 2014

Track Down Malicious Executables Using SCCM 2007

I have been chasing down some malicious code and found a very useful SCCM 2007 table.

declare @filename varchar(20)
set @filename = 'wiupdat.exe'

select 
sys.Name0 [Resource Name],
sys.AD_Site_Name0 [Resource Site Name],
sys.Operating_System_Name_and0 [Resource OS],
sys.Resource_Domain_OR_Workgr0 [Resource Domain],
sys.User_Name0 as [Resource Username],
app.LastUserName0 [App Username],
app.LastUsedTime0 [App Last Used Time],
app.TimeStamp [App Database Timestamp],
app.ExplorerFileName0 [App FileName],
app.OriginalFileName0 [App Original FileName],
app.CompanyName0 [App Company Name],
app.FileDescription0 [App FileDescription],
app.FileVersion0 [App File Version],
app.FolderPath0 [App Execution Path],
app.FilePropertiesHash0 [App Hash],
app.SoftwarePropertiesHash0 [App Software Properties Hash],
app.FileSize0 [App FileSize],
app.LaunchCount0 [App Launch Count],
app.ProductLanguage0 [App Product Language Code]
from v_GS_CCM_RECENTLY_USED_APPS app
left join v_R_System sys on sys.ResourceID = app.ResourceID
where ExplorerFileName0 = @filename
or OriginalFileName0 = @filename
order by TimeStamp

I've been using SCCM report "Software 07C - Recently used executables on a specific computer" to pull a list of recently run executables on a known infected workstation.  Make sure to display all executables by choosing 'N'.  Then look for the offending executable.  Plug in that executable name into the SQL query or build a report with a Prompt name of 'filename' and remove the top two lines in the SQL shown above.

A problem I see is that the Hash function used in SCCM 2007 does not seem to be MD5 or SHA1.  It is still useful assuming it creates a unique signature but we cannot use that information to find out information from https://www.virustotal.com