A colleague of our German office got in touch with me to help with the interpretation of the hexadecimal output data of the UserAssist Nessus Plugin.
That was an interesting request: I did not know Nessus came with such a plugin, although I’m very familiar with the UserAssist registry keys.
The UserAssist registry keys register execution of Windows programs through Windows explorer. For example, when you launch notepad via the start menu, data will be written to a registry key particular to notepad. Maybe you’re not familiar with the name UserAssist, but it’s likely that you’ve heard about this artefact: these are ROT13 encoded registry values.
For example, you might have a UserAssist registry value with name “P:\Clguba27\clguba.rkr”. This is “C:\Python27\python.exe” ROT-13 encoded. That registry value contains binary data, and one of the fields in this binary data is the timestamp of the last execution of the python.exe program.
The output of the Nessus UserAssist plugin is CSV data: the value name and the value content (hexadecimal). Like this:
The Nessus plugin will do the ROT13 decoding of the registry value name (P:\Clguba27\clguba.rkr -> C:\Python27\python.exe), but it will not parse the binary data.
That’s where I was able to help:
- The binary data is 72 bytes long (144 hexadecimal digits), and at position 61 (starting from 1),
- There is a little-endian 64-bit integer, which is the UTC timestamp of the last execution through Windows explorer of the program (python.exe in our example).
- That 64-bit integer is a FILETIME structure.
In our example, inside binary data 3100000000…, 109f2af79b4ed501 is the timestamp. A tool like format-bytes.py can help with the decoding, like this:
Explanation of the command used to extract the timestamp:
- Format specifier (cfr. Python struct module) <60sQ means: little-endian (<),
- 60-bytes long string (60s),
- 64-bit unsigned integer (Q).
- Output specifier sT means: the first field (60s) has to be represented as a string (s),
- the second field (Q) has to be represented as a FILETIME structure (T).
The decoded timestamp is field 2: 2019/08/09 10:19:45…
I will make a note to check out the source code of Nessus’ UserAssist plugin, and see if we can make a modification to do the timestamp decoding directly.
About the authors
Didier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center senior handler and Microsoft MVP, and has developed numerous popular tools to assist with malware analysis. You can find Didier on Twitter and LinkedIn.