How can i get the correct file path from behaviors in detections

[hermanmaleiane]

Hi team,

Hope you are doing well.
Got one question.
I'm little bit confused about how can i get the full path from behaviors in detections.

I found out that quick scan from windows defender is not performing well and i have tested with custom scan and it works fine.
The file path provided by falcon is not the correct.

The code
First:
detects = falcon_detects.query_detects(filter=f"date_updated:>'{date_time}'")
Second:

detects_details = falcon_detects.get_detect_summaries(ids=i) 
print(detects_details['body']['resources'][0]["behaviors"])

Filepath extracted from behaviors

filepath': '\Device\HarddiskVolume3\Program Files\WinRAR\WinRAR.exe'

cmdline extracted from behaviors

'cmdline': '"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 -- "C:\Users\Herman.Maleiane\Downloads\CashCat.zip" "?\"',

ioc_descriptionextracted from behaviors

'ioc_description': '\Device\HarddiskVolume3\Users\Herman.Maleiane\Downloads\CashCat\CashCat.exe'

The correct path is:
C:\Users\Herman.Maleiane\Downloads\CashCat\CashCat.exe

My goal is to get the full path and execute a custom scan like this example.
This is much effective, full scan takes too much time.

Example: Start-MpScan -ScanType CustomScan -ScanPath "C:\Users\Herman.Maleiane\Downloads\CashCat\CashCat.exe"

Thanks in advance.

[bk-cs]

Falcon uses Windows APIs to track files because it interacts with the kernel directly. It tracks files by that \Device\HarddiskVolume value, not the drive letter that's exposed to the user... so, unfortunately, it's not as simple as "getting the right path from the API".

You can use the device path to find the drive letter on the system itself. PowerShell is my language, and I'm not aware of a native method that can match the "device path" to the drive letter. I found the following article after a bunch of searching that describes a script that can be used to do it: https://morgantechspace.com/2014/11/Get-Volume-Path-from-Drive-Name-using-Powershell.html

That's a pretty long script, so after some trial and error I reduced it to a PowerShell function:

function Get-DriveLetter ([string] $String) {
    $Definition = @’
[DllImport("kernel32.dll", SetLastError = true)]
public static extern uint QueryDosDevice(
    string lpDeviceName,
    System.Text.StringBuilder lpTargetPath,
    uint ucchMax);
‘@
    $StringBuilder = New-Object System.Text.StringBuilder(65536)
    $Kernel32 = Add-Type -MemberDefinition $Definition -Name Kernel32 -Namespace Win32 -PassThru
    foreach ($Volume in (Get-WmiObject Win32_Volume | Where-Object { $_.DriveLetter })) {
        $Value = $Kernel32::QueryDosDevice($Volume.DriveLetter,$StringBuilder,65536)
        if ($Value -and $String) {
            $DevicePath = [regex]::Escape($StringBuilder.ToString())
            $String | Where-Object { $_ -match $DevicePath } | ForEach-Object {
                $String -replace $DevicePath, $Volume.DriveLetter
            }
        } elseif ($Value) {
            [PSCustomObject] @{
                DriveLetter = $Volume.DriveLetter
                DevicePath  = $StringBuilder.ToString()
            }
        }
    }
}

The function can be used two ways. Run without any input, it will list all drive letters and their device paths.

PS> Get-DriveLetter

DriveLetter DevicePath
----------- ----------
C:          \Device\HarddiskVolume1
D:          \Device\CdRom0

If you include a device path, it will update the string with the drive letter:

PS> Get-DriveLetter \Device\HarddiskVolume1\Users\Herman.Maleiane\Downloads\CashCat\CashCat.exe
C:\Users\Herman.Maleiane\Downloads\CashCat\CashCat.exe

If you create a Real-time Response script with the function included, you could finish it out with Start-MpScan:

param([string] $Path)
function Get-DriveLetter ([string] $String) {
    $Definition = @’
[DllImport("kernel32.dll", SetLastError = true)]
public static extern uint QueryDosDevice(
    string lpDeviceName,
    System.Text.StringBuilder lpTargetPath,
    uint ucchMax);
‘@
    $StringBuilder = New-Object System.Text.StringBuilder(65536)
    $Kernel32 = Add-Type -MemberDefinition $Definition -Name Kernel32 -Namespace Win32 -PassThru
    foreach ($Volume in (Get-WmiObject Win32_Volume | Where-Object { $_.DriveLetter })) {
        $Value = $Kernel32::QueryDosDevice($Volume.DriveLetter,$StringBuilder,65536)
        if ($Value -and $String) {
            $DevicePath = [regex]::Escape($StringBuilder.ToString())
            $String | Where-Object { $_ -match $DevicePath } | ForEach-Object {
                $String -replace $DevicePath, $Volume.DriveLetter
            }
        } elseif ($Value) {
            [PSCustomObject] @{
                DriveLetter = $Volume.DriveLetter
                DevicePath  = $StringBuilder.ToString()
            }
        }
    }
}
$ScanPath = Get-DriveLetter $Path
if ($ScanPath) {
    Start-MpScan -ScanType CustomScan -ScanPath $ScanPath
}

It can then be launched in Real-time Response with the following syntax:

runscript -CloudFile="my_script" -CommandLine="\Device\HarddiskVolume1\Users\Herman.Maleiane\Downloads\CashCat\CashCat.exe"

[hermanmaleiane]

Hi @bk-cs !!
That works perfectly.
Thank you so much for helping.

[bk-cs]

Also, it's worth noting that if you're using Real-time Response commands directly, they do handle "device paths". For instance, if you wanted to use rm to delete the file, this works through Real-time Response:

rm \Device\HarddiskVolume1\Users\Herman.Maleiane\Downloads\CashCat\CashCat.exe