In the first part of this series we explored some basic search terms that can be used to find ‘unwanted’ software being installed on company endpoints. Today, I’d like to take this research a step further and look at other ‘questionable content’.

People download pirated video content from many questionable places. Finding these downloads is not difficult because lots of this activity will reference multimedia files with the following extensions:

• ‘3g2’, ‘3gp’, ‘amv’, ‘asf’, ‘avi’, ‘bdjo’, ‘bdmv’, ‘clpi’, ‘divx’, ‘drc’, ‘f4a’, ‘f4b’, ‘f4p’, ‘f4v’, ‘flv’, ‘gif’, ‘gifv’, ‘M2TS’, ‘m2v’, ‘m4p’, ‘m4v’, ‘mkv’, ‘mng’, ‘mov’, ‘mp2’, ‘mp4’, ‘mpe’, ‘mpeg’, ‘mpg’, ‘mpls’, ‘mpv’, ‘MTS’, ‘mxf’, ‘nsv’, ‘ogg’, ‘ogv’, ‘qt’, ‘rm’, ‘rmvb’, ‘roq’, ‘svi’, ‘TS’, ‘viv’, ‘vob’, ‘webm’, ‘wmv’, ‘yuv’

As you can guess, searching for file creation events referencing these media file extensions is a good way to discover users that download multimedia content that may need to be reviewed.

And as usual, if we dig deeper, we can create complementary control detection logic that focuses on a different file extension set – one that is VERY attached to pirated video media content:

• ass – Advanced Sub Station Alpha
• dfxp – Flash XML (Distribution Format Exchange Profile)
• inqscr – InqScribe transcript
• itt – iTunes Timed Text
• jss – JACOsub
• sami – Synchronized Accessible Media Interchange
• sbv – YouTube format
• scc – Scenarist Closed Captions
• smi – Synchronized Accessible Media Interchange
• srt – SubRip
• ssa – Sub Station Alpha
• stl – Spruce Subtitle File
• sup – Blu-ray PGS
• sup – SonicDVD Creater
• ttml – Timed Text Markup Language
• usf – Universal Subtitle Format
• vtt – Web Video Text Tracks (WebVTT)

If you don’t know what these are, where have you been for the last 3 decades?? 🙂

These are subtitle files that often accompany the pirated media files. So, it goes without saying that a presence of these files can be seen as a low hanging fruit that can lead us to discovering other undesirable goodies in the folders that host them.

Another type of warez files we should look at are archives.

I mentioned them a few times in the past, but let’s be more systematic this time and focus on the telemetry referencing the container files created by the most popular archiving software very often used by the ‘scene’ that ‘releases’ warez to the public:

• .rar, .7z, .zip, .cab, and
• .arj, .lha, .kgb, .xz, and
• multi-volume archives like
  • .7z.000, .7z.001, …,
  • .rar.000 .rar.001, …,
  • part1.rar, part2.rar, …
  • .r.01, .r.02, …,
  • .z.01, z.02, …,
  • .z01, .z02, …,
  • zx01, zx02, …,
  • .zip.001, .zip.002, …,
  • .cab, .part2.cab, …,
  • and older, or less common file archives: https://en.wikipedia.org/wiki/List_of_archive_formats

Hunting for file creation events that refer to files with these file extensions may lead to some very interesting discoveries.

And yes, as usual, there is more:

• Any file creation event referencing .torrent file extension is of interest
• Any command line invocation referencing “magnet:” link is of interest
• Any DNS requests related to known torrent/magnet sites are of interest

As we explore this particular topic we may get tempted to leverage this approach to hunt for more specific content like pr0n & CSAM, but I do not want to cover these here, because handling these properly requires a completely different approach – one that is better left to experienced DFIR teams working together with Legal and HR departments. And that’s because in cases of True Positives employees lose jobs, and/or go to prison.

Now… as we come to the end of this quick & dirty hunting guide, I need to be fair and mention a little caveat. While hunting for Acceptable Use Policy violations is pretty easy, the actual remediation is extremely difficult. Some of these findings (and often in bulk) end up as items added to the company’s Risk Register. And anything that is listed there ends up being prioritized – AUP violations are always marked LOW on that priority list. Moreso, exploring AUPs in your environment will inevitably lead you to discover AUPs committed by the security personnel, including CISOs. There is no clear way to solve it long-term without some serious commitment of company’s security committee…