├── navgen ├── .gitignore ├── requirements.txt ├── LICENSE ├── README.md └── navgen.py ├── .gitignore ├── threat_hunting ├── CB-Command_R │ ├── requirements.txt │ ├── config.py │ ├── README.md │ └── cb-command_r.py ├── png_extract │ ├── bin │ │ ├── png_extract-32.exe │ │ └── png_extract-64.exe │ ├── stdafx.cpp │ ├── targetver.h │ ├── stdafx.h │ ├── LICENSE │ ├── png_extract.vcxproj.filters │ ├── README.md │ ├── png_extract.cpp │ └── png_extract.vcxproj ├── yara │ ├── powershell_reflective_injector_generic.yara │ ├── sodinokibi_ransomware_2019_Q3.yara │ ├── GandCrab_Ursnif_dropper_2019_Q1.yar │ ├── POS_2020_Q2_TinyPOS.yar │ └── tau_winnti_public.yara ├── powershell_meterpreter_extractor │ ├── LICENSE │ ├── README.md │ └── powershell_meterpreter_extractor.py └── IOCs │ ├── COVID-19 Post IOCs │ └── blog_post_iocs.csv │ ├── shlayer │ ├── domain-iocs.txt │ ├── hashes-iocs.txt │ └── urls-iocs.txt │ └── IOCs_2019_Q3_Sodinokibi-Hashes.csv ├── ThreatHunter-Watchlist-Manager ├── requirements.txt ├── watchlists │ └── example │ │ └── example.yaml ├── README.md └── watchlist-manager.py ├── malware_specific ├── Sodinokibi │ ├── README.MD │ └── Sodinokibi_configparser.py ├── TinyPOS │ ├── README.md │ ├── TinyPOS_exfil_decoder.py │ └── TinyPOS_sc_extracor.py ├── ThiefQuest │ ├── README.md │ └── thiefquest_decrypt.py └── FancyBear │ └── zebrocy_decrypt_artifact.py ├── threat_emulation ├── pseudo_ransomware │ ├── setup.py │ ├── LICENSE │ └── README.md └── Invoke-APT29 │ ├── LICENSE │ └── README.MD ├── LICENSE ├── remediation ├── EternalDarkness │ ├── LICENSE │ ├── README.md │ ├── EternalDarkness-LR.py │ └── EternalDarkness.ps1 ├── HiveNightMare │ ├── LICENSE │ ├── HiveNightmare.ps1 │ ├── HiveNightmare-LR.py │ └── README.md ├── MS-ADV200006 │ ├── LICENSE │ ├── MS-ADV200006.py │ ├── MS-ADV200006.ps1 │ └── README.md └── shlayer │ ├── README.md │ └── shlayer-cleanup.sh └── README.md /navgen/.gitignore: -------------------------------------------------------------------------------- 1 | *.json -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /navgen/requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | pick 3 | -------------------------------------------------------------------------------- /threat_hunting/CB-Command_R/requirements.txt: -------------------------------------------------------------------------------- 1 | json 2 | requests 3 | threaded -------------------------------------------------------------------------------- /ThreatHunter-Watchlist-Manager/requirements.txt: -------------------------------------------------------------------------------- 1 | os 2 | sys 3 | argparse 4 | requests 5 | json 6 | yaml 7 | time 8 | pprint 9 | cbapi -------------------------------------------------------------------------------- /threat_hunting/png_extract/bin/png_extract-32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carbonblack/tau-tools/HEAD/threat_hunting/png_extract/bin/png_extract-32.exe -------------------------------------------------------------------------------- /threat_hunting/png_extract/bin/png_extract-64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carbonblack/tau-tools/HEAD/threat_hunting/png_extract/bin/png_extract-64.exe -------------------------------------------------------------------------------- /threat_hunting/png_extract/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // png_extract.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /threat_hunting/png_extract/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /malware_specific/Sodinokibi/README.MD: -------------------------------------------------------------------------------- 1 | ### Sodinokibi Ransomware Configuration Parser 2 | 3 | Author: jmyers - CB TAU 4 | Date: 20-June-2019 5 | 6 | This script is intended to extract relevant configuration information from Sodinkibi Samples and may need to be updated as variants are updated. 7 | 8 | #### Usage 9 | 10 | $ python sodinokibi_configparser.py $(path to file) 11 | -------------------------------------------------------------------------------- /malware_specific/TinyPOS/README.md: -------------------------------------------------------------------------------- 1 | ### TinyPOS/PinkKite Python Scripts 2 | 3 | Author: jmyers - CB TAU 4 | Date: 4-May-2020 5 | 6 | These scripts are intended to be used on TinyPOS/PinkKite variants used in POS attacks. 7 | 8 | #### Usage 9 | 10 | $ python TinyPOS_exfil_decoder.py $(path to encoded file) 11 | 12 | $ python TinyPOS_sc_extracor.py $(path to image file) 13 | -------------------------------------------------------------------------------- /threat_hunting/png_extract/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /threat_emulation/pseudo_ransomware/setup.py: -------------------------------------------------------------------------------- 1 | # setup.py 2 | # NOTE: Not currently working due to puremagic's json not being pulled in 3 | 4 | from distutils.core import setup 5 | import py2exe 6 | 7 | missing_files = [ ('puremagic', ['c:\python27\Lib\site-packages\puremagic\magic_data.json'] ) ] 8 | 9 | setup( 10 | console=['pseudo_ransomware.py'], 11 | data_files = missing_files, 12 | options = { 13 | 'py2exe': { 14 | 'packages' : ['puremagic'], 15 | 'bundle_files' : 1, 16 | } 17 | } 18 | ) 19 | -------------------------------------------------------------------------------- /threat_hunting/CB-Command_R/config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | active = { 4 | 'url': 'https://.carbonblack.io/api/v1/process', 5 | 'key': '' 6 | } 7 | 8 | # ====================================================================== 9 | # Place API key and URL in 'active' to use with the cmdline-search.py 10 | # ====================================================================== 11 | 12 | env1 = { 13 | 'url': 'https://.carbonblack.io/api/v1/process', 14 | 'key': '' 15 | } 16 | 17 | env2 = { 18 | 'url': 'https://.carbonblack.io/api/v1/process', 19 | 'key': '' 20 | } 21 | 22 | etc = { 23 | 'url': 'https://.carbonblack.io/api/v1/process', 24 | 'key': '' 25 | } -------------------------------------------------------------------------------- /malware_specific/ThiefQuest/README.md: -------------------------------------------------------------------------------- 1 | # OSX.ThiefQuest Python Script 2 | 3 | This python script can decrypt encrypted strings and network responses from the 4 | OSX.ThiefQuest backdoor. 5 | 6 | ## Usage 7 | 8 | ``` 9 | OSX.ThiefQuest Decryption Tool v1.0 10 | 11 | Usage: 12 | thiefquest_decrypt.py [string|stringnew|network|spot] 13 | ``` 14 | 15 | ## Examples 16 | 17 | ``` 18 | $ python3 thiefquest_decrypt.py string "20HBC332gdTh2WTNhS2CgFnL3Q0gNf3whEH{0000073" 19 | bytearray(b'com.apple.questd\x00') 20 | ``` 21 | 22 | ``` 23 | $ python3 thiefquest_decrypt.py stringnew "27GR{{3ULczE2e|Sgg2AaSxK0000043" 24 | bytearray(b'q?s=%s&h=%s\x00') 25 | ``` 26 | 27 | ``` 28 | $ python3 thiefquest_decrypt.py network "3wqGSj0.Dcnm0BrI0h0KMOIN1GeZhv2B5nAE1TAV7t1nKx_s2sNUcB37x3nX18MiO50VgwLS3KR8oB3gmNVU0000023" 29 | bytearray(b'\x10\x00\x00\x00&\x00\x00\x00\x00\x00\x00\x00\xff\xc8\x00\x00user1s-M)\xcf\xeec\x02\x87\xa2P:user1s-Mac.local:1.5\x00') 30 | ``` 31 | -------------------------------------------------------------------------------- /threat_hunting/yara/powershell_reflective_injector_generic.yara: -------------------------------------------------------------------------------- 1 | rule Powershell_reflective_injector_generic : TAU PowerShell b64MZ 2 | { 3 | meta: 4 | author = "Carbon Black TAU" //jmyers 5 | date = "2019-Jun-21" 6 | description = "Designed to catch PowerShell script to reflectively inject embedded b64 MZ" 7 | link = "" 8 | rule_version = 1 9 | yara_version = "3.10.0" 10 | Confidence = "Prod" 11 | Priority = "Medium" 12 | TLP = "White" 13 | exemplar_hashes = "aabf130306337094e09e4b2f1845310cece8f81f50c4f10bfc43bf9cccb0923d,01f34e9ab8835626f0ae554cb89b8d772d4aa3dfaf392e05d906e0f4f7123369" 14 | strings: 15 | $s1 = "[CmdletBinding()]" 16 | $s2 = "$Win32Types = New-Object System.Object" 17 | $s3 = "TVqQAA" 18 | $s4 = "Invoke-Command" 19 | $s5 = "FromBase64String" 20 | $s6 = "Get-Win32Functions" 21 | $s7 = "Get-VirtualProtectValue" 22 | condition: 23 | all of them 24 | 25 | } -------------------------------------------------------------------------------- /threat_hunting/yara/sodinokibi_ransomware_2019_Q3.yara: -------------------------------------------------------------------------------- 1 | rule Sodinokibi_ransomware_2019_Q3 : TAU ecrime ransomware 2 | { 3 | meta: 4 | author = "Carbon Black TAU" //jmyers 5 | date = "2019-Jun-21" 6 | description = "Designed to catch Sodinokibi Ransomware Variants" 7 | link = "" 8 | rule_version = 1 9 | yara_version = "3.10.0" 10 | Confidence = "Prod" 11 | Priority = "Medium" 12 | TLP = "White" 13 | exemplar_hashes = "200d374121201b711c98b5bb778ab8ca46d334e06f2fc820a2ea7e70c251095e,32a72f3bc54b65651ec263c11e86738299d172043a9cdd146001780501c75078" 14 | strings: 15 | $s1 = "\\BaseNamedObjects" wide 16 | $s2 = "kernel32.dll" wide ascii 17 | $s3 = "kernelbase.dll" wide 18 | $s4 = "CreateThread" 19 | $s5 = "CloseHandle" 20 | $s6 = "kexpand" 21 | $s7 = {E8 58 3F 00 00} 22 | $s8 = {FF 35 24 E0 01 10} 23 | $s9 = {40 3D 00 01 00 00} 24 | condition: 25 | 7 of ($s*) 26 | } -------------------------------------------------------------------------------- /navgen/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2018 Carbon Black 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 10 | -------------------------------------------------------------------------------- /threat_hunting/png_extract/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2017 Carbon Black 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 10 | -------------------------------------------------------------------------------- /threat_emulation/pseudo_ransomware/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2017 Carbon Black 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 10 | -------------------------------------------------------------------------------- /threat_hunting/powershell_meterpreter_extractor/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2018 Carbon Black 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 VMware Carbon Black 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /remediation/EternalDarkness/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 VMware Carbon Black 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /remediation/HiveNightMare/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 VMware Carbon Black 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /remediation/MS-ADV200006/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 VMware Carbon Black 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /threat_emulation/Invoke-APT29/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 VMware Carbon Black 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /remediation/shlayer/README.md: -------------------------------------------------------------------------------- 1 | # OSX Shlayer Cleanup Script 2 | 3 | ### Blog: [New MacOS Malware Variant of Shlayer Discovered](https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/) 4 | 5 | ### Instructions 6 | 7 | There are two ways to run this script. Interactively and Automatically. 8 | 9 | First things first, ensure the script is executable: 10 | 11 | $ chmod +x ./shlayer-cleanup.sh 12 | 13 | #### Interactive Execution 14 | 15 | Allows you to step through the execution and review all files before making a decision on removing them. 16 | 17 | $ ./shlayer-cleanup.sh 18 | 19 | #### Automatic Execution 20 | 21 | Runs the script and automatically deletes any detected Shlayer malicious files. 22 | 23 | $ ./shlayer-cleanup.sh --autoremove 24 | 25 | To download and execute this script directly from this repository you can run the following one-liner. (Be careful and review the script before doing this) 26 | 27 | $ curl -s https://raw.githubusercontent.com/carbonblack/tau-tools/master/remediation/shlayer/shlayer-cleanup.sh | bash -s -- --autoremove 28 | 29 | To execute this script using Carbon Black's Live Response, add 'execfg' to the beginning of the string. 30 | 31 | #### Example 32 | 33 | ![image](https://user-images.githubusercontent.com/727732/52649660-ecde8b80-2ea5-11e9-81f8-0f9dce1d187d.png) 34 | -------------------------------------------------------------------------------- /ThreatHunter-Watchlist-Manager/watchlists/example/example.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | author: TAU 3 | detection: 'Potential AMSI DLL Search Order Hijacking' 4 | industry: 'all' 5 | link: 'https://attack.mitre.org/techniques/T1038/' 6 | notes: '' 7 | tags: 8 | - evasion 9 | - persistence 10 | - privesc 11 | - t1038 12 | - t1089 13 | - amsi 14 | type: Carbon Black First Party 15 | description: "An attacker can bypass AMSI and/or previously patched AMSI vulnerabilities by dropping their own DLL and invoking an AMSI eligible process. 16 | This query looks for amsi.dll being loaded from a non-standard windows path which is a high confidence indicator that AMSI dll search 17 | order hijacking is taking place." 18 | false positives: 'One endpoint security vendor is using the same name of their amsi dll as the built in system library name. This goes against development best practices.' 19 | queries: 20 | attack test(s): https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1038/T1038.yaml 21 | comment: 22 | guid: 36b837da-6f8c-4345-aac6-ef08b753fdf9 23 | query: (modload_name:amsi.dll AND NOT (modload_name:windows\\syswow64\\amsi.dll OR modload_name:windows\\system32\\amsi.dll OR modload_name:windows\\winsxs\\*\\amsi.dll)) -legacy:true 24 | title: AMSI - Potential AMSI DLL Search Order Hijacking 25 | supported platform(s): windows 26 | threat: '9' 27 | query id: amsi_dll_search_order_hijacking_ioc 28 | ... -------------------------------------------------------------------------------- /threat_hunting/png_extract/png_extract.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /threat_hunting/yara/GandCrab_Ursnif_dropper_2019_Q1.yar: -------------------------------------------------------------------------------- 1 | rule macro_GandCrab_Ursnif_dropper_2019_Q1 : TAU Trojan Ecrime Ransomware 2 | { 3 | meta: 4 | author = "Carbon Black TAU" //jmyers 5 | date = "2019-Jan-14" 6 | description = "Designed to catch PowerShell encoded command in Word Shape box as alternative text" 7 | link = "" 8 | rule_version = 1 9 | yara_version = "3.7.0" 10 | Confidence = "Prod" 11 | Priority = "Medium" 12 | TLP = "White" 13 | exemplar_hashes = "0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080,cc5a14ff026ee593d7d25f213715b73833e6b9cf71091317121a009d5ad7fc36" 14 | strings: 15 | $s1 = "powershell.exe -NoP -Exec Bypass -EC " wide 16 | condition: 17 | all of them and 18 | uint16(0) == 0xCFD0 19 | } 20 | 21 | rule GandCrab_Ursnif_PowerShell_cradle_2019_Q1 : TAU TROJAN Ecrime Ransomware 22 | { 23 | meta: 24 | author = "Carbon Black TAU" //jmyers 25 | date = "2019-Jan-14" 26 | description = "Designed to catch PowerShell cradle from campaign" 27 | link = "" 28 | rule_version = 1 29 | yara_version = "3.7.0" 30 | Confidence = "Prod" 31 | Priority = "Medium" 32 | TLP = "White" 33 | exemplar_hashes = "3b59549507e0e3cfb4a363a306bf6eb4d26995066df643e1fc8e4e11eaffa7f9,debe4cb5645f10e6b6383838c25f26781a61acb536d2246cdf8dc33bbc1a2414" 34 | strings: 35 | $s1 = "If($ENV:PROCESSOR_ARCHITECTURE -contains 'AMD64')" 36 | $s2 = "$Env:WINDIR\\SysWOW64\\WindowsPowerShell" 37 | $s3 = "new-object net.webclient" 38 | $s4 = "downloadstring" 39 | $s5 = "Invoke" 40 | $s6 = "Sleep" 41 | condition: 42 | 4 of ($s*) and 43 | filesize < 2KB 44 | } 45 | -------------------------------------------------------------------------------- /malware_specific/TinyPOS/TinyPOS_exfil_decoder.py: -------------------------------------------------------------------------------- 1 | import re 2 | import sys 3 | import os 4 | 5 | ''' 6 | Python3 7 | Date: 4 May 2020 8 | Author: Carbon Black TAU - Jared Myers 9 | Exemplar Hashes: 10 | Description: Decodes PCI encoded data dumps from TinyPOS/PinkKite ShellCode Variants 11 | ''' 12 | __VERSION__ = '1.0' 13 | 14 | 15 | def decode(string): 16 | key = [0xfd,0xaa,0x0f,0x49,0xc2,0xbe,0xac,0x9f] 17 | out = '' 18 | counter = 0 19 | for byte in string: 20 | out = out + chr(byte ^ key[counter % 8]) 21 | counter += 1 22 | return out.rstrip('\x00') 23 | 24 | 25 | def data_chunks(data): 26 | data_split = re.split(rb'\x20{4}\xDD\x0A\xDD\x0A', data) 27 | return data_split 28 | 29 | 30 | def main(): 31 | 32 | try: 33 | global filename 34 | filename = sys.argv[1] 35 | 36 | except IndexError: 37 | print('POS exfil decoder v%s\n' % __VERSION__) 38 | print('Usage:\n %s ' % (sys.argv[0])) 39 | quit() 40 | 41 | if not os.path.isfile(filename): 42 | print('[!]File Not Found Try Again') 43 | quit() 44 | try: 45 | data = open(filename, "rb").read() 46 | output = filename +"_decoded.txt" 47 | print('saving decoded data to:\t'+filename + "_decoded.txt") 48 | out = open(output,"w") 49 | for x in (data_chunks(data)): 50 | dec = decode(x) 51 | out.write(dec) 52 | print(dec) 53 | out.close() 54 | except Exception as e: 55 | print("[!!!] There seems to be a problem") 56 | print(e) 57 | 58 | 59 | if __name__ == "__main__": 60 | main() 61 | -------------------------------------------------------------------------------- /threat_hunting/png_extract/README.md: -------------------------------------------------------------------------------- 1 | # png_extractor 2 | 3 | ## Synopsis 4 | 5 | This project is for extracting PEs embedded inside png PE resources. 6 | 7 | See https://www.carbonblack.com/2017/08/07/threat-analysis-carbon-black-threat-research-dissects-png-dropper/ 8 | 9 | ## Usage Example 10 | 11 | ./png_extract 12 | 13 | ## History 14 | 15 | Version 1.0 - Initial release 16 | 17 | ## Author 18 | 19 | Brian Sturk (bsturk@carbonblack.com) 20 | 21 | ## License 22 | 23 | The MIT License (MIT) 24 | 25 | Copyright (c) 2017 Carbon Black 26 | 27 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 28 | 29 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 30 | 31 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 32 | -------------------------------------------------------------------------------- /navgen/README.md: -------------------------------------------------------------------------------- 1 | # Navigator Generator (NavGen) 2 | 3 | ## Synopsis 4 | 5 | This project is for generating a MITRE Navigator JSON file that can be used to upload to an on-prem or github instance (https://mitre.github.io/attack-navigator/enterprise/). 6 | 7 | ## History 8 | 9 | - Version 1.0 - Initial release 10 | - Version 2.0 - Updated to include EEDR and EDR products. Also works with latest version of MITRE ATT&CK Navigator layers. 11 | 12 | ## Author 13 | 14 | Adam Nadrowski ([@occupy\_eip](https://twitter.com/occupy_eip)) 15 | 16 | ## License 17 | 18 | The MIT License (MIT) 19 | 20 | Copyright (c) 2018 Carbon Black 21 | 22 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 23 | 24 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 25 | 26 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 27 | -------------------------------------------------------------------------------- /threat_emulation/pseudo_ransomware/README.md: -------------------------------------------------------------------------------- 1 | # pseudo_ransomware 2 | 3 | ## Synopsis 4 | 5 | This project is for simulating different techniques of ransomware in a non-destructive/recoverable way. 6 | 7 | ## Usage Example 8 | 9 | python pseudo_ransomware.py -r -p file_dir -x .crypt -N http://www.wtfismyip.com -c 1 -w 3 10 | 11 | ## MBRs 12 | 13 | https://github.com/brainsmoke/nyanmbr 14 | https://github.com/daniel-e/tetros 15 | 16 | ## History 17 | 18 | Version 1.10 19 | 20 | ## Author 21 | 22 | Brian Sturk (bsturk@carbonblack.com) 23 | 24 | ## License 25 | 26 | The MIT License (MIT) 27 | 28 | Copyright (c) 2017 Carbon Black 29 | 30 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 31 | 32 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 33 | 34 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 35 | -------------------------------------------------------------------------------- /malware_specific/TinyPOS/TinyPOS_sc_extracor.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | ''' 5 | Python3 6 | Date: 4 May 2020 7 | Author: Carbon Black TAU - Jared Myers 8 | Exemplar Hashes: 9 | Description: Extracts and decodes TinyPOS/PinkKite ShellCode from Image files 10 | ''' 11 | __VERSION__ = '1.0' 12 | 13 | 14 | def dec(encoded_buffer, key, decoded_sc): 15 | i = 0 16 | for x in encoded_buffer: 17 | if encoded_buffer[i:i+4] == b'\xCF\xCF\xCF\xCF': 18 | decoded_sc = decoded_sc + encoded_buffer[i::] 19 | break 20 | else: 21 | decoded_sc = decoded_sc + (x ^ key[i % 4]).to_bytes(1, 'little') 22 | i += 1 23 | return decoded_sc 24 | 25 | 26 | def write_file(name, buff): 27 | out = open(name, "wb") 28 | out.write(buff) 29 | out.close() 30 | 31 | 32 | def main(): 33 | try: 34 | global filename 35 | filename = sys.argv[1] 36 | 37 | except IndexError: 38 | print('ShellCode Extractor v%s\n' % __VERSION__) 39 | print('Usage:\n %s ' % (sys.argv[0])) 40 | quit() 41 | 42 | if not os.path.isfile(filename): 43 | print('[!]File Not Found Try Again') 44 | quit() 45 | try: 46 | data = open(filename, "rb").read() 47 | offset = data.find(b'\x48\x31\xDB\x48\xC7\xC0') 48 | sc = data[offset:len(data)] 49 | print('saving shellcode data to:\t'+filename + ".sc") 50 | write_file(filename + ".sc", sc) 51 | key = bytearray(sc[6:10]) 52 | decoded_sc = sc[:60] 53 | output = dec(sc[60::], key, decoded_sc) 54 | print('saving decoded shellcode data to:\t' + filename + "_decoded.sc") 55 | write_file(filename + "_decoded.sc", output) 56 | 57 | except Exception as e: 58 | print("[!!!] There seems to be a problem") 59 | print(e) 60 | 61 | 62 | if __name__ == "__main__": 63 | main() 64 | -------------------------------------------------------------------------------- /threat_hunting/IOCs/COVID-19 Post IOCs/blog_post_iocs.csv: -------------------------------------------------------------------------------- 1 | SHA256,MD5,Type 2 | 1b93ca543c1e7ad43363e087059bb0e48ed134a2ee8cb0902be23a8a86e7656b,80e10b9b3635226384d41a0d05868f5c,Phishing Email 3 | 9fa1f8cb9822b7de436cbeba95ddce241c2510e03825c02f21705922e77c40a2,c26de195a832597ae7dd6e6b26582db9,MS Word document 4 | 2ec4d4c384fe93bbe24f9a6e2451ba7f9c179ff8d18494c35ed1e92fe129e7fa,74331b8c45880b6e253c9e9a1a03886c,Phishing Email 5 | 7e52f7a7645ea5495196d482f7630e5b3cd277576d0faf1447d130224f937b05,8878c9152aaab705236dda5b19ac8f14,ISO file 6 | b41e2237590421056f41a33b004670abf29dc83157b1f38c0eab65ecfd6b9663,df092cee84d2732ffcfc662408c04e53,SCR (PE) file containing RemCos RAT 7 | f5b214cb8d7bcf9b6baea0f971e42be1064a2636984381ed0fd8bbdfe6800188,804b609e8ced593c723eeacc44df5a5d,PDF with fake Office365 login 8 | 4daf1f057fb07090d760ae527f7401ad7224a27881824c714743ac29450add84,d6557715b015a2ff634e4ffd5d53ffba,RTF Doc 9 | 51eab875208923d82953fd3492b2efab3dc1d234c555a2db9dcd45e840a9040c,aeac495ff592a58d9dff0e3033e81a5d,7z attachment 10 | 8a9feda526489531ffb275a88b4c70bf7fe92c7807503c3654cf926ff9bb7d85,c5369ee6511c7d0220d37ede452baf35,PE file containing AgentTesla 11 | da26ba1e13ce4702bd5154789ce1a699ba206c12021d9823380febd795f5b002,9498ba71b33e9e9e19c352579e0d1b0a,PE file containing Lokibot 12 | 8a9feda526489531ffb275a88b4c70bf7fe92c7807503c3654cf926ff9bb7d85,c5369ee6511c7d0220d37ede452baf35,PE file containing AgentTesla 13 | 955352b5116d7de50dc75377889a495446554779fb768260be4b23c59a5a967e,2639cd53cbc6872a924b25d84144d5f1,Word document containing trojan 14 | 2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307,73da2c02c6f8bfd4662dc84820dcd983,Malicious Coronavirus map 15 | 22b08d49f76e9310740928b386deb333c5b595706ca6afc3c7d0b3cc2635182a,cc2477cf4d596a88b349257cba3ef356,Malicious ProtonVPN PE file 16 | 5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed,cb2b4cd74c7b57a12bd822a168e4e608,Coronavirus ransomware 17 | 3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3,ec517204fbcf7a980d137b116afa946d,Coronavirus ransomware 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | _____ _____ _____ _____ _ 3 | |_ _| _ | | | |_ _|___ ___| |___ 4 | | | | | | | | | | . | . | |_ -| 5 | |_| |__|__|_____| |_| |___|___|_|___| 6 | 7 | 8 | ## Various tools from the VMware Carbon Black Threat Analysis Unit 9 | 10 | #### VMware Carbon Black ThreatHunter 11 | - [Watchlist-Manager](https://github.com/carbonblack/tau-tools/tree/master/ThreatHunter-Watchlist-Manager) 12 | 13 | #### VMware Carbon Black Response 14 | - [CB-Command_R](https://github.com/carbonblack/tau-tools/tree/master/threat_hunting/CB-Command_R) 15 | 16 | #### MITRE ATT&CK 17 | - [Navgen](https://github.com/carbonblack/tau-tools/tree/master/navgen) 18 | - [Invoke-APT29](https://github.com/carbonblack/tau-tools/tree/master/threat_emulation/Invoke-APT29) 19 | 20 | #### Threat Hunting 21 | - [Meterpreter Extractor](https://github.com/carbonblack/tau-tools/tree/master/threat_hunting/powershell_meterpreter_extractor) 22 | - [IOCs](https://github.com/carbonblack/tau-tools/tree/master/threat_hunting/IOCs) 23 | - [YARA](https://github.com/carbonblack/tau-tools/tree/master/threat_hunting/yara) 24 | - [PNG Extract](https://github.com/carbonblack/tau-tools/tree/master/threat_hunting/png_extract) 25 | 26 | #### Remediation 27 | - [EternalDarkness](https://github.com/carbonblack/tau-tools/tree/master/remediation/EternalDarkness) 28 | - [Shlayer](https://github.com/carbonblack/tau-tools/tree/master/remediation/shlayer) 29 | 30 | #### Threat Emulation 31 | - [Pseudo Ransomware](https://github.com/carbonblack/tau-tools/tree/master/threat_emulation/pseudo_ransomware) 32 | 33 | #### Malware Specific 34 | - [FancyBear](https://github.com/carbonblack/tau-tools/tree/master/malware_specific/FancyBear) 35 | - [Sodinokibi](https://github.com/carbonblack/tau-tools/tree/master/malware_specific/Sodinokibi) 36 | - [TinyPOS](https://github.com/carbonblack/tau-tools/tree/master/malware_specific/TinyPOS) 37 | 38 | Last updated: March 13, 2020 39 | -------------------------------------------------------------------------------- /remediation/shlayer/shlayer-cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # OSX Shlayer Cleanup Script 4 | # gfoss[at]carbonblack[.]com 5 | # Feb 11, 2019 6 | 7 | # Run automatically or interactively? 8 | autoremove=false 9 | if [[ "$1" == "--autoremove" ]]; then 10 | autoremove=true 11 | fi 12 | 13 | # When running interactively, display warning 14 | if [[ $autoremove == "false" ]]; then 15 | echo "" 16 | echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]" 17 | echo -n " Enter 'YES' to continue: " 18 | read shallWeContinue 19 | if [ $shallWeContinue != 'YES' ]; then 20 | echo "" 21 | exit 1 22 | fi 23 | else 24 | echo "" 25 | echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]" 26 | echo " Press CRTL+C to abort..." 27 | sleep 5 28 | fi 29 | 30 | # Set Directories 31 | directories=("/tmp/*/Player*.app/" 32 | "/Applications/Mac*Cleanup*Pro*.app/" 33 | "/Volumes/Player/" 34 | "/Volumes/FlashPlayer/" 35 | "/private/tmp/*/Player/" 36 | "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app" 37 | "/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app" 38 | "/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app" 39 | "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app" 40 | "/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app" 41 | "/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app") 42 | 43 | echo "" 44 | 45 | # Check Primary Directories for Player Files and remove if found 46 | for directory in ${directories[@]}; do 47 | if [ -d "$directory" ]; then 48 | echo -e "OSX Shlayer Infection Detected!" 49 | echo " $directory" 50 | if [[ $autoremove == "false" ]]; then 51 | echo -n "Would you like to delete the malware directory? Enter (y/n): " 52 | read cleanupChoice 53 | else 54 | cleanupChoice="y" 55 | fi 56 | if [ $cleanupChoice == "y" ]; then 57 | sudo rm -rf "$directory" && echo "Malware Has Been Removed..." || echo "unable to remove this directory, please run this script with sudo or manually delete this directory" 58 | else 59 | echo "It is recommended to remove this directory to prevent continued infection!" 60 | fi 61 | echo "" 62 | fi 63 | done 64 | -------------------------------------------------------------------------------- /threat_hunting/yara/POS_2020_Q2_TinyPOS.yar: -------------------------------------------------------------------------------- 1 | rule POS_2020_Q2_TinyPOS_exfil_file : TAU Ecrime POS 2 | { 3 | meta: 4 | author = "VMware Carbon Black Threat Research" // jmyers 5 | date = "2020-May-4" 6 | Validity = 10 7 | severity = 10 8 | description = "For Detection of Exfil Files created by this TinyPOS/PinkKite variant" 9 | rule_version = 1 10 | yara_version = "3.11.0" 11 | Confidence = "Prod" 12 | Priority = "Medium" 13 | TLP = "White" 14 | exemplar_hashes = "e48af0380d51eff554d56aabeeb5087bba37fa8fb02af1ccd155bb8b5079edae" 15 | 16 | strings: 17 | $b1 = {BD EA 4F 09} //@@@@ header encoded 18 | $b2 = {20 20 20 20 DD 0A DD 0A} //Delimiter used by malware 19 | 20 | condition: 21 | all of them 22 | //Additional Condition configuration 23 | //$b1 and #b2 > 1 24 | } 25 | 26 | rule POS_2020_Q2_TinyPOS_ImageFile_Encoded_SC : TAU Ecrime POS 27 | { 28 | meta: 29 | author = "VMware Carbon Black Threat Research" // jmyers 30 | date = "2020-May-4" 31 | Validity = 10 32 | severity = 10 33 | description = "For Detection of Image files containing encoded Shellcode" 34 | rule_version = 1 35 | yara_version = "3.11.0" 36 | Confidence = "Prod" 37 | Priority = "Medium" 38 | TLP = "White" 39 | exemplar_hashes = "e48af0380d51eff554d56aabeeb5087bba37fa8fb02af1ccd155bb8b5079edae" 40 | strings: 41 | $PNG = {89 50 4E 47} //PNG header 42 | $BMP = {42 4D } //BMP header 43 | $JPG = {FF D8 FF} //JPG header 44 | 45 | $b1 = {48 31 DB 48 C7 C0 [10-20] 90 90 90 90} 46 | $b2 = {CF CF CF CF} 47 | 48 | condition: 49 | ($PNG at 0 50 | or $BMP at 0 51 | or $JPG at 0) 52 | and all of ($b*) 53 | } 54 | 55 | rule POS_2020_Q2_TinyPOS_PS_loader : TAU Ecrime POS 56 | { 57 | meta: 58 | author = "VMware Threat Research" // jmyers 59 | date = "2020-May-4" 60 | Validity = 10 61 | severity = 10 62 | description = "For Detection of PowerShell script used to load TinyPOS/PinkKite"//It should be noted that this will catch numerous malicious PS scripts 63 | rule_version = 1 64 | yara_version = "3.11.0" 65 | Confidence = "Prod" 66 | Priority = "Medium" 67 | TLP = "White" 68 | exemplar_hashes = "15712752daf007ea0db799a318412478c5a3a315a22932655c38ac6485f8ed00" 69 | strings: 70 | $ps1 = "powershell" 71 | $s1 = "IABmAHUAbgBj" 72 | $s2 = "WwBCAHkAdAB" 73 | condition: 74 | $ps1 75 | and any of ($s*) 76 | } 77 | -------------------------------------------------------------------------------- /threat_hunting/powershell_meterpreter_extractor/README.md: -------------------------------------------------------------------------------- 1 | # powershell_meterpreter_extractor 2 | 3 | ## Synopsis 4 | 5 | This project is for extracting base64 encoded shellcode used to deliver Meterpreter payloads. 6 | 7 | ## Usage Help 8 | 9 | python powershell_meterpreter_extractor.py --help 10 | usage: powershell_meterpreter_extractor.py [-h] [-o OUTPUT] (-i INPUT | -f FILE) 11 | 12 | optional arguments: 13 | -h, --help show this help message and exit 14 | -o OUTPUT, --output OUTPUT 15 | Provide a path to save final stage payload 16 | -i INPUT, --input INPUT 17 | Provide a base64 encoded string in the command line 18 | -f FILE, --file FILE Provide a path to a file that contains a base64 19 | encoded string 20 | 21 | ## Usage Example 22 | 23 | The following will accept an input file containing the base64 encoded string and output the first and second stage to disk: 24 | 25 | ./powershell_meterpreter_extractor.py -f -o 26 | 27 | The following will accept a base64 string passed as a cmd line arg and output text to terminal: 28 | 29 | ./powershell_meterpreter_extractor.py -i 30 | 31 | ## History 32 | 33 | Version 1.0 - Initial release 34 | 35 | ## Author 36 | 37 | Adam Nadrowski (anadrowski@carbonblack.com) 38 | 39 | Jared Myers (jmyers@carbonblack.com) 40 | 41 | ## License 42 | 43 | The MIT License (MIT) 44 | 45 | Copyright (c) 2018 Carbon Black 46 | 47 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 50 | 51 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 52 | -------------------------------------------------------------------------------- /threat_hunting/powershell_meterpreter_extractor/powershell_meterpreter_extractor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import base64 4 | import zlib 5 | import argparse 6 | import re 7 | import os 8 | 9 | 10 | def get_parser(): 11 | parser = argparse.ArgumentParser() 12 | parser.add_argument('-o', '--output', type=str, help='Provide a path to save final stage payload') 13 | group = parser.add_mutually_exclusive_group(required=True) 14 | group.add_argument('-i', '--input', type=str, help='Provide a base64 encoded string in the command line') 15 | group.add_argument('-f', '--file', type=str, help='Provide a path to a file that contains a base64 encoded string') 16 | 17 | return parser 18 | 19 | 20 | def enumerate_base64string(b): 21 | offset = b.lower().find("frombase64string(") 22 | if offset > 0: 23 | b64_end_offset = b[offset + 18:].find('"') 24 | j = re.findall('[a-zA-Z0-9\.]{8,}', base64.b64decode(b[offset + 18:offset + 18 + b64_end_offset])[200:]) 25 | for z in j: 26 | print "\t[*] Potential C2: " + z 27 | else: 28 | return 0 29 | 30 | 31 | def save_file(file_path, data): 32 | if os.path.exists(file_path): 33 | while True: 34 | user_input = raw_input("\n[!] File '" + file_path + "' already exists. Overwrite? (y|n): ").lower() 35 | if user_input == "no" or user_input == "n": 36 | print "Qutting." 37 | exit(0) 38 | elif user_input == "yes" or user_input == "y": 39 | break 40 | else: 41 | print "[!] Invalid response." 42 | continue 43 | 44 | with open(file_path, 'w') as fh: 45 | for line in data: 46 | fh.write("%s\n" % line) 47 | 48 | 49 | def get_stages(b64_string): 50 | data_b64_mod = len(b64_string) % 4 51 | if data_b64_mod != 0: 52 | print "[!] Invalid base64 length. The original buffer will be truncated by %s bytes" % str(data_b64_mod) 53 | b64_string = b64_string[:-data_b64_mod] 54 | 55 | # NOTE this may raise an exception, but that's okay. Caller is handling it. 56 | stage1 = base64.b64decode(b64_string).decode("utf-16") + "\n" 57 | stage2 = zlib.decompress(base64.b64decode(stage1.split('"')[1]), 31) 58 | 59 | return stage1, stage2 60 | 61 | 62 | def get_b64_string(args): 63 | b64_string = args.input 64 | 65 | if args.file: 66 | with open(args.file, "r") as fh: 67 | b64_string = fh.read().strip() 68 | 69 | return b64_string 70 | 71 | 72 | def main(): 73 | parser = get_parser() 74 | args = parser.parse_args() 75 | b64_string = get_b64_string(args) 76 | 77 | try: 78 | stage1, stage2 = get_stages(b64_string) 79 | if not args.output: 80 | print ("\n[*] First Stage: \n\t" + stage1) 81 | print ("\n[*] Second Stage: \n\t" + stage2) 82 | enumerate_base64string(stage2) 83 | else: 84 | save_file(args.output + "_first_stage.txt", [stage1]) 85 | save_file(args.output + "_shellcode.txt", [stage2]) 86 | print "\n[*] Saved stages to filesystem as: %s" % args.output 87 | enumerate_base64string(stage2) 88 | except Exception as error: 89 | print error 90 | 91 | 92 | if __name__ == "__main__": 93 | main() 94 | -------------------------------------------------------------------------------- /malware_specific/Sodinokibi/Sodinokibi_configparser.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | import binascii 4 | import struct 5 | from Crypto.Cipher import ARC4 6 | from hashlib import sha256 7 | from zlib import crc32 8 | import time 9 | import pefile 10 | ''' [+]20 June 2019 11 | [-]This script is intended to extract relevant configuration information from Sodinkibi Samples 12 | [-]This script may need to be updated as variants are updated 13 | [!]jmyers''' 14 | __VERSION__ = '1.0' 15 | 16 | 17 | def config_data(config_meta): 18 | global rc4_key 19 | global data_len 20 | rc4_key = config_meta[0:32] 21 | data_len = struct.unpack(" 3 | 4 | #include 5 | #pragma comment(lib, "gdiplus.lib") 6 | 7 | #include 8 | #include 9 | 10 | using namespace Gdiplus; 11 | 12 | /////////////////////////////////// 13 | 14 | int 15 | main( int argc, char* argv[] ) 16 | { 17 | DWORD offset = 0; 18 | ULONG_PTR gdi = NULL; 19 | GdiplusStartupInput gi = { 0 }; 20 | GdiplusStartupOutput* go = NULL; 21 | 22 | if ( argc != 3 ) 23 | { 24 | printf( "usage: %s \n", argv[ 0 ] ); 25 | return 1; 26 | } 27 | 28 | Status ret = GdiplusStartup( &gdi, &gi, NULL ); 29 | 30 | if ( ret != Status::Ok ) 31 | { 32 | printf( "Unable to initialize GdiplusStartup: %d\n", ret ); 33 | return 1; 34 | } 35 | 36 | if ( !gdi ) 37 | { 38 | printf( "Invalid GdiplusStartup token\n" ); 39 | return 1; 40 | } 41 | 42 | /* extract from PE passed on command line */ 43 | 44 | HMODULE peh = LoadLibraryA( argv[ 1 ] ); 45 | 46 | if ( !peh ) 47 | { 48 | printf( "Unable to load %s: %d\n", argv[ 1 ], GetLastError() ); 49 | return 1; 50 | } 51 | 52 | HANDLE hf = CreateFileA( argv[ 2 ], GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL ); 53 | 54 | if ( hf == INVALID_HANDLE_VALUE ) 55 | { 56 | printf( "Unable to create output file %s: %d\n", argv[ 2 ], GetLastError() ); 57 | return 1; 58 | } 59 | 60 | /* loop over all png files */ 61 | 62 | bool done = false; 63 | int index = 1; 64 | 65 | while ( !done ) 66 | { 67 | HRSRC png = FindResourceA( peh, LPCSTR( MAKEINTRESOURCE( index ) ), "PNG" ); 68 | 69 | if ( !png ) /* no more left */ 70 | break; 71 | 72 | DWORD sz = SizeofResource( peh, png ); 73 | HGLOBAL hpng = LoadResource( peh, png ); 74 | 75 | if ( !hpng ) 76 | { 77 | printf( "Could not load resource at index %d: %d\n", index, GetLastError() ); 78 | break; 79 | } 80 | 81 | void* raw = ( BYTE* )LockResource( hpng ); 82 | HANDLE buf = GlobalAlloc( GMEM_MOVEABLE, sz ); 83 | 84 | if ( !buf ) 85 | { 86 | printf( "Could not allocate via GlobalAlloc: %d\n", GetLastError() ); 87 | break; 88 | } 89 | 90 | void* pbuf = GlobalLock( buf ); 91 | 92 | CopyMemory( pbuf, raw, sz ); 93 | 94 | IStream* stream = NULL; 95 | 96 | if ( CreateStreamOnHGlobal( buf, FALSE, &stream ) != S_OK ) 97 | { 98 | printf( "Could not create stream: %d\n", GetLastError() ); 99 | break; 100 | } 101 | 102 | Bitmap bm( stream, false ); 103 | stream->Release(); 104 | 105 | /* NOTE: PixelFormat16bppARGB1555 == 0x61007 as seen in malware */ 106 | 107 | BitmapData* bdata = new BitmapData; 108 | 109 | /* NOTE: malware specified 0x7 which == ImageLockModeRead | ImageLockModeWrite | ImageLockModeUserInputBuf, but this blows up, ImageLockModeRead works fine */ 110 | 111 | Status lock_status = bm.LockBits( NULL, ImageLockModeRead, PixelFormat16bppARGB1555, bdata ); 112 | 113 | if ( lock_status != Ok ) 114 | break; 115 | 116 | /* Display the hexadecimal value of each pixel */ 117 | 118 | UINT* pixels = ( UINT* )bdata->Scan0; 119 | 120 | DWORD written = 0; 121 | BOOL err = WriteFile( hf, pixels, bdata->Height * bdata->Width * 2, &written, NULL ); /* x2 is for 16bpp */ 122 | 123 | index++; 124 | } 125 | 126 | CloseHandle( hf ); 127 | 128 | GdiplusShutdown( gdi ); 129 | 130 | return 0; 131 | } 132 | -------------------------------------------------------------------------------- /threat_hunting/CB-Command_R/README.md: -------------------------------------------------------------------------------- 1 | ________ _____ __ ___ 2 | / ___/ _ )____/ ___/__ __ _ __ _ ___ ____ ___/ / / _ \ 3 | / /__/ _ /___/ /__/ _ \/ ' \/ ' \/ _ `/ _ \/ _ / / , _/ 4 | \___/____/ \___/\___/_/_/_/_/_/_/\_,_/_//_/\_,_/__/_/|_| 5 | /___/ 6 | 7 | ### Carbon Black Response - Mass Command Line Data Extractor 8 | 9 | Multithreaded large-scale Carbon Black Response Command Line Data Extraction 10 | 11 | ## Installation 12 | 13 | This script is meant to run with Python version 2, however it can work with Python v3 with some simple modifications. 14 | 15 | First things first, install the requirements: 16 | 17 | $ pip install -r requirements.txt 18 | 19 | Modify config.py to include your Carbon Black Response domain and associated API key. 20 | 21 | This setting allows for multiple configurations - just make sure the one you would like to use is placed within the 'active' section. 22 | 23 | ## Execution 24 | 25 | Run the script with -h or --help to view the help options: 26 | 27 | usage: cb-command_r.py [-h] [-q QUERY] [-t THREADS] [-r ROWS] [-s START] [-f FILENAME] 28 | optional arguments: 29 | -h, --help show this help message and exit 30 | -q QUERY, --query QUERY 31 | Carbon Black Response Query 32 | Default: (process_name:cmd.exe) 33 | -t THREADS, --threads THREADS 34 | Number of simultaneous threads 35 | Default: 25 36 | -r ROWS, --rows ROWS 37 | Rows per thread (USE MULTIPLES OF 10!) 38 | Default: 1000 39 | -s START, --start START 40 | Select the starting row 41 | Default: 0 42 | -f FILENAME, --filename FILENAME 43 | Output results 44 | Default: commands.txt 45 | 46 | Running the script with no options will utilize the defaults as described above, however these can be customized to fit with the number of queries you're pulling. Below is more information on each flag: 47 | 48 | ##### -q | --query: 49 | 50 | Defines the Carbon Black Response formatted query you'd like to search to associated command line parameters across. This will work with any process but some recommended ones: 51 | 52 | process_name:cmd.exe (default) 53 | process_name:powershell.exe 54 | process_name:bash 55 | process_name:sh 56 | 57 | ##### -t | --threads: 58 | 59 | Defines the number of simultaneous threads you would like to run. You should aim to keep this below 50 to avoid running into issues with storing large amounts of data in memory. 60 | 61 | Default value: 25 62 | 63 | If you choose to run this script with 1 thread, this will make only a single API call for the command line arguments. 64 | 65 | ##### -r | --rows: 66 | 67 | Defines the number of rows to pull back per thread. These must be defined in increments of 10, due to how multithreading is configured in this script. 68 | 69 | The absolute maximum you can query from a single thread is 10,000 70 | 71 | Available options: 72 | 73 | 1, 10, 100, 1000, 10000 74 | Default value: 1000 75 | 76 | ##### -s | --start: 77 | 78 | Defines the starting row the script will begin searching over. Default is 1, but can be adjusted to start from wherever you left off after a prior request 79 | 80 | Default value: 1 81 | 82 | ##### -f | --filename: 83 | 84 | Defines where you would like to save the output of the script. 85 | 86 | Default value: commands.txt 87 | 88 | ### Author 89 | 90 | gfoss[at]carbonblack.com 91 | 92 | March, 2019 93 | 94 | ### Example 95 | 96 | Help Menu: 97 | 98 | ![cb-command_r_1](https://user-images.githubusercontent.com/727732/53764619-07939700-3e8b-11e9-8fc4-b8c5dae7cd07.png) 99 | 100 | Query Execution: 101 | 102 | ![cb-command_r_2](https://user-images.githubusercontent.com/727732/53764627-0bbfb480-3e8b-11e9-90bd-b620ca452b91.png) 103 | -------------------------------------------------------------------------------- /remediation/HiveNightMare/HiveNightmare.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This detects and mitigates if systems are vulnerable to CVE-2021-36934 HiveNightmare 4 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 5 | 6 | .DESCRIPTION 7 | This script will identify if a machine has unprivileged user access to system32\config files 8 | and deletes volume shadow copies of system Drive 9 | 10 | 11 | .PARAMETER mitigate 12 | The parameter mitigate is used to apply the recommenced mitigation's. 13 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 14 | 1. Applies inheritance permissions to system32\config\ 15 | 2. Deletes all shadow copies of system drive 16 | 17 | .EXAMPLE 18 | The example below mitigates the system if vulnerable to CVE-2021-36934 HiveNightmare, Requires running as Admin 19 | PS C:\> ./HiveNightmare -mitigate 20 | 21 | .EXAMPLE 22 | The example below checks if the system is vulnerable to CVE-2021-36934 HiveNightmare 23 | PS C:\> ./HiveNightmare.ps1 24 | 25 | .NOTES 26 | Author: Ed Myers & Casey Parman 27 | Last Edit: 2021-07-21 28 | Version 1.0 - initial release 29 | Copyright VMware 2021 30 | #> 31 | param 32 | ( 33 | [switch]$mitigate 34 | ) 35 | 36 | #Mitigation 37 | function Mitigation() 38 | { 39 | $acl= Get-Acl $env:windir\system32\config\sam 40 | if ($acl.Access.IdentityReference -ccontains "BUILTIN\Users") 41 | { 42 | write-host "Updating folder permissions for $env:windir\system32\config" 43 | & icacls $env:windir\system32\config\*.* /inheritance:e 44 | if ($? -eq "True") { 45 | write-host -ForegroundColor Green "Successfully Updated folder permissions for $env:windir\system32\config" 46 | } 47 | Else { 48 | write-host -ForegroundColor Red "Error Updating folder permissions for $env:windir\system32\config" 49 | return 50 | } 51 | } Else 52 | { 53 | Write-Host -ForegroundColor Green "-------------------------" 54 | Write-Host -ForegroundColor Green "--System Not Vulnerable--" 55 | Write-Host -ForegroundColor Green "-------------------------" 56 | return 57 | } 58 | #Get Volume information 59 | $Volume = (Get-WmiObject -Class Win32_Volume -Filter "DriveLetter = '$env:systemdrive'").deviceid 60 | ##Delete VSS 61 | Get-WmiObject Win32_Shadowcopy | ForEach-Object { 62 | if ($_.VolumeName -eq $Volume) 63 | { 64 | write-host "Deleting Volume Shadow Copies of System Drive" 65 | $_.Delete(); 66 | } 67 | } 68 | Write-Host -ForegroundColor Green "--------------------" 69 | Write-Host -ForegroundColor Green "--System Mitigated--" 70 | Write-Host -ForegroundColor Green "--------------------" 71 | $WarningMsg=@' 72 | Warning: Running this mitigation script will remove all SystemDrive shadow copies. This will prevent restoration - the backups are deleted. It is recommended to run a command like this to create a fresh, properly permissioned shadow copy following mitigation: (gwmi -list win32_shadowcopy).Create("$env:systemdrive\",'ClientAccessible') 73 | '@ 74 | Write-Host -ForegroundColor Yellow $WarningMsg 75 | } 76 | 77 | If (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) 78 | { 79 | Write-Host -ForegroundColor Red "Run in elevated prompt" 80 | return 81 | } 82 | 83 | $acl= Get-Acl $env:windir\system32\config\sam 84 | if ($acl.Access.IdentityReference -ccontains "BUILTIN\Users") 85 | { 86 | Write-Host -ForegroundColor Red "---------------------" 87 | Write-Host -ForegroundColor Red "--System Vulnerable--" 88 | Write-Host -ForegroundColor Red "---------------------" 89 | } Else 90 | { 91 | Write-Host -ForegroundColor Green "-------------------------" 92 | Write-Host -ForegroundColor Green "--System Not Vulnerable--" 93 | Write-Host -ForegroundColor Green "-------------------------" 94 | return 95 | } 96 | If ($mitigate) 97 | { 98 | Mitigation 99 | } 100 | -------------------------------------------------------------------------------- /ThreatHunter-Watchlist-Manager/README.md: -------------------------------------------------------------------------------- 1 | ## ThreatHunter Watchlist Manager 2 | 3 | Manage custom watchlists across multiple environments 4 | 5 | Convert ThreatHunter Queries 6 | 7 | Delete Watchlists and Feeds 8 | 9 | 10 | ### Watchlist Management 11 | 12 | Watchlists are in YAML format and can be managed by the associated folder structure. Lines 43 - 52 of watchlist-manager.py can be modified as necessary to create a watchlist. Additional lines can be added as needed. 13 | 14 | # ==================================================================================================== 15 | # Custom Watchlist 16 | # ==================================================================================================== 17 | if watchlist_name == "custom": 18 | yml_path = './watchlists/example/' 19 | feed_name = "Custom Watchlist" 20 | provider_url = "https://carbonblack.com" 21 | feed_summary = "Custom Threat Detections" 22 | feed_category = "Custom" 23 | feed_id_name = "custom_report" 24 | 25 | Create new watchlist entries and store them under the associated 'yml_path' folder. Feel free to rename any of these variables / folders. Create a separate yaml file (.yml / .yaml) format. Use a separate folder for each watchlist grouping. 26 | 27 | 28 | ### Script Usage 29 | 30 | Requires CBAPI configured to work with ThreatHunter: https://cbapi.readthedocs.io/en/latest/threathunter-api.html 31 | 32 | Install python3 requirements: 33 | 34 | pip3 install -r requirements.txt 35 | 36 | Parse ThreatHunter YAMLs and Create / Update Watchlists: 37 | 38 | watchlist-manager.py [-h] [-o ORGKEY] [-p ORGPROFILE] [-w WATCHLIST_NAME] [-c CBR_QUERY] [-d DELETE_QUERY] 39 | 40 | optional arguments: 41 | -h, --help show this help message and exit 42 | -p ORGPROFILE, --profile ORGPROFILE 43 | Select your cbapi credential profile 44 | -w WATCHLIST_NAME, --watchlist WATCHLIST_NAME 45 | Watchlist to create. Options: [customizable...] 46 | -c CBR_QUERY, --convert CBR_QUERY 47 | Convert CB Response query to ThreatHunter format. Eg: (-c ) 48 | -d DELETE_QUERY, --delete DELETE_QUERY 49 | Delete a watchlist via query. Eg: (-d ) 50 | 51 | 52 | ### Examples 53 | 54 | Create Watchlist: 55 | 56 | python3 watchlist-manager.py -p -w 57 | 58 | Delete Watchlist: 59 | 60 | python3 watchlist-manager.py -p -d 61 | 62 | Convert Query: 63 | 64 | python3 watchlist-manager.py -p -c '' 65 | 66 | To Update a watchlist, you must first delete it and then re-create it. 67 | 68 | 69 | ### YAML Format 70 | 71 | Each watchlist entry is a separate YAML file in somewhat-sigma format with a yaml/yml file extension. Refer to the example.yml and below. 72 | 73 | --- 74 | author: You 75 | detection: 'Rule Name' 76 | industry: 'Is this industry-specific? Default: all' 77 | link: 'Supporting links' 78 | notes: 'Notes that are noy visible in the CB Cloud Interface' 79 | tags: 80 | - exploitation 81 | - T(MITRE technique) 82 | - windows 83 | - advancedthreats 84 | - attack 85 | - attackframework 86 | type: Custom 87 | description: "Description of the rule... 88 | can be multiple lines" 89 | false positives: 'Describe the false-positive ratio observed in testing' 90 | queries: 91 | attack test(s): Link to any tests that simulate and validate the rule 92 | comment: Comments that are not displayed within CB Cloud Interface 93 | guid: Generate via uuidgen on MacOS / Linux 94 | query: ThreatHunter query 95 | title: Rule Title 96 | supported platform(s): windows 97 | threat: 'Choose a rating between 1-10' 98 | query id: custom_unique_identification 99 | ... 100 | -------------------------------------------------------------------------------- /threat_hunting/IOCs/shlayer/domain-iocs.txt: -------------------------------------------------------------------------------- 1 | 34.225.46.51 2 | api.adminbuffer.com 3 | api.agentrotator.com 4 | api.algorithmmode.com 5 | api.appmotiondaily.com 6 | api.assistivehandler.com 7 | api.assistiverotator.com 8 | api.assistivesmart.com 9 | api.assistivesource.com 10 | api.assistpartition.com 11 | api.assistremote.com 12 | api.basicinitiator.com 13 | api.binarysources.com 14 | api.bitelemnt.com 15 | api.browsedisplay.com 16 | api.browserinterop.com 17 | api.bufferqueue.com 18 | api.catchthemac.com 19 | api.choiceupdate.com 20 | api.commonprocesser.com 21 | api.coordinatornano.com 22 | api.defaultindexer.com 23 | api.elemnttech.com 24 | api.essentialarchive.com 25 | api.essentialupdater.com 26 | api.filterkey.com 27 | api.filtermode.com 28 | api.functioninput.com 29 | api.functionmemory.com 30 | api.handlerkey.com 31 | api.helperportal.com 32 | api.indexereng.com 33 | api.inettasks.com 34 | api.initialprocess.com 35 | api.initiatormaster.com 36 | api.internetalgorithm.com 37 | api.interopcache.com 38 | api.launcheremote.com 39 | api.lightthemacup.com 40 | api.locatorbasic.com 41 | api.locatorformat.com 42 | api.macsinsights.com 43 | api.macsmoments.com 44 | api.macthrills.com 45 | api.managerscalable.com 46 | api.masteranalyser.com 47 | api.megaelemnt.com 48 | api.megaformats.com 49 | api.megamodule.com 50 | api.netsmode.com 51 | api.operativdata.com 52 | api.operativebox.com 53 | api.operativeguides.com 54 | api.opticalinput.com 55 | api.opticalmode.com 56 | api.opticalsample.com 57 | api.optimalword.com 58 | api.originaloption.com 59 | api.originmodule.com 60 | api.portalqueue.com 61 | api.processbuffer.com 62 | api.publicanalyser.com 63 | api.publicconfig.com 64 | api.resultsformat.com 65 | api.syncindexer.com 66 | api.taskupgrade.com 67 | api.timefornaps.com 68 | api.ultrabitinitiator.com 69 | api.updateelement.com 70 | api.updaterengine.com 71 | api.upgradehandler.com 72 | api.upgradeinput.com 73 | api.upgradenano.com 74 | www.aww799.com 75 | 24upgradecheck.thereadyforsafestubs.icu 76 | app4com.thereadyforsafestubs.icu 77 | downgradepc.bestcenter2content.icu 78 | get.securybrowse.com 79 | kasefe.otlu.pw 80 | mixtypecloudtheclicks.icu 81 | mixtypedowngradetheclicks.icu 82 | nkejt.spoonwolf.pw 83 | noteupgrade.freeandgreatappsite.icu 84 | nowversion.thebeststubcontentingfrees.icu 85 | pxesa.peoplefrozen.pw 86 | readyupdate.freeandgreatappsite.icu 87 | rlksl.dealrudolf.pw 88 | upgradebestfreshtheclicks.icu 89 | wpdtk.tribunebegin.pw 90 | www.apple.com-care-macbook-system.live 91 | www.enginetransaction.com 92 | www.logicalhandler.com 93 | api.agentinput.com 94 | api.alphaelemnt.com 95 | api.analysercloud.com 96 | api.analyserdesk.com 97 | api.analyserinput.com 98 | api.analyzedisplay.com 99 | api.appfastplay.com 100 | api.appsreforoma.com 101 | api.archivekey.com 102 | api.assistiveformat.com 103 | api.assistivenet.com 104 | api.bitcoordinator.com 105 | api.cachemega.com 106 | api.cleanconfig.com 107 | api.configentry.com 108 | api.contemporaryapps.com 109 | api.dynamicmodule.com 110 | api.elementarylocator.com 111 | api.elementaryprocess.com 112 | api.enthusiasmness.com 113 | api.etagarring.com 114 | api.executiveinterface.com 115 | api.explorertask.com 116 | api.filterapps.com 117 | api.filtercommand.com 118 | api.findscheduler.com 119 | api.formatlog.com 120 | api.futuristmac.com 121 | api.highsecuritymac.com 122 | api.initiatormode.com 123 | api.insidetechmac.com 124 | api.internetinterop.com 125 | api.logicalwindow.com 126 | api.macfantsy.com 127 | api.macmagnificent.com 128 | api.macsatmosphere.com 129 | api.majorenumerator.com 130 | api.majorprocess.com 131 | api.majorqueue.com 132 | api.managerwebmoves.com 133 | api.metroorigin.com 134 | api.microstransaction.com 135 | api.nanodevsource.com 136 | api.nanoscheduler.com 137 | api.optimalcache.com 138 | api.optimizerdata.com 139 | api.originassist.com 140 | api.partitionnet.com 141 | api.portalconfig.com 142 | api.portalelemnt.com 143 | api.primarymodes.com 144 | api.primarytransaction.com 145 | api.processerdev.com 146 | api.processformat.com 147 | api.remocreature.com 148 | api.rotatorbit.com 149 | api.rotatorsample.com 150 | api.servereng.com 151 | api.servicequeue.com 152 | api.setwireframe.com 153 | api.sharedanalyser.com 154 | api.sourceremote.com 155 | api.syncpartition.com 156 | api.technanoproject.com 157 | api.techsmaturity.com 158 | api.trackindexer.com 159 | api.trustedadmins.com 160 | api.updaterbasic.com 161 | api.webmemoryagent.com 162 | api.whywarbler.com 163 | api.wisercomputers.com 164 | -------------------------------------------------------------------------------- /remediation/EternalDarkness/README.md: -------------------------------------------------------------------------------- 1 | # EternalDarkness CVE-2020-0796 Mitigation 2 | 3 | ## References 4 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796 5 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005 6 | 7 | ## Summary 8 | Specifically this vulnerability would allow an unauthenticated attacker to exploit this vulnerability by sending a specially crafted packet 9 | to a vulnerable SMBv3 Server. Similarly if an attacker could convince or trick a user into connecting to a malicious SMBv3 Server, 10 | then the user’s SMB3 client could also be exploited. Regardless if the target or host is successfully exploited, this would grant the 11 | attacker the ability to execute arbitrary code. 12 | 13 | In addition to disabling SMB compression on an impacted server, Microsoft advised blocking any inbound or outbound traffic on TCP port 445 at 14 | the perimeter firewall. Additionally the Computer Emergency Response Team Coordination Center (CERT/CC) advised that organizations should verify 15 | that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN. 16 | 17 | While these workarounds will prevent external exploitation of SMBv3 Server, it is important to note that SMBv3 Client will remain vulnerable until 18 | a patch is available and applied. Microsoft has confirmed that there is no evidence to suggest that the vulnerability has been exploited as of yet, 19 | no mitigating factors have been identified, and that no update to fix it is currently available. 20 | 21 | 22 | ## Description 23 | 24 | This detects and mitigates if systems are vulnerable to CVE-2020-0796 EternalDarkness 25 | 26 | This script will check OS version and if any shares are enabled. If OS version matches and shares are enabled 27 | it will check HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameter\DisableCompression to determine if the host system is vulnerable. 28 | If the host system is vulnerable and -mitigate is used it will set DisableCompression to 1 29 | 30 | ## Instructions 31 | 32 | Usage: 33 | 34 | Checking if device is vulnerable to EnternalDarkness 35 | ```Powershell 36 | EternalDarkness.ps1 37 | ``` 38 | 39 | Mitigating systems that are vulnerable to EternalDarkness 40 | ```Powershell 41 | EternalDarkness.ps1 -mitigate 42 | ``` 43 | 44 | ## Example 45 | 46 | ```Powershell 47 | PS C:\> .\EternalDarkness.ps1 48 | ----------------- 49 | --Patch Missing-- 50 | ----------------- 51 | -------------- 52 | --Vulnerable-- 53 | -------------------------------- 54 | mitigate with -mitigate argument 55 | -------------------------------- 56 | PS C:\> .\EternalDarkness -mitigate 57 | ----------------- 58 | --Patch Missing-- 59 | ----------------- 60 | Run in elevated prompt 61 | ``` 62 | Elevated Prompt: 63 | ```Powershell 64 | PS C:\> .\EternalDarkness.ps1 -mitigate 65 | ----------------- 66 | --Patch Missing-- 67 | ----------------- 68 | -------------------- 69 | --System Mitigated-- 70 | -------------------- 71 | PS C:\> .\EternalDarkness.ps1 72 | ----------------- 73 | --Patch Missing-- 74 | ----------------- 75 | ------------------ 76 | --Not Vulnerable-- 77 | ------------------ 78 | ``` 79 | 80 | 81 | ## Live Response Wrapper 82 | 83 | The EternalDarkness-LR.py script is a wrapper for executing the EternalDarkness.ps1 script remotely via the VMware Carbon Black Cloud API. 84 | 85 | Usage: 86 | ```PowerShell 87 | EternalDarkness-LR.py [-h] [-m MACHINENAME] [-c] [-p] [-o ORGPROFILE] 88 | 89 | optional arguments: 90 | -h, --help show this help message and exit 91 | -m MACHINENAME, --machinename MACHINENAME 92 | machinename to run host forensics recon on 93 | -c, --check Check the system for the vulnerable SMBv3 94 | Configuration 95 | -p, --patch Mitigate the vulnerable system SMBv3 configuration 96 | by disabling compression 97 | -o ORGPROFILE, --orgprofile ORGPROFILE 98 | Select your cbapi credential profile 99 | ``` 100 | 101 | ## Example 102 | 103 | Checking for vulnerable SMBv3 configuration: 104 | ```PowerShell 105 | $ python3 EternalDarkness-LR.py -m -c -o 106 | ``` 107 | 108 | Mitigating vulnerable SMBv3 configuration: 109 | ```PowerShell 110 | $ python3 EternalDarkness-LR.py -m -p -o 111 | ``` 112 | 113 | This script is compatible with the full VMware Carbon Black Cloud API and requires the python cbapi -------------------------------------------------------------------------------- /remediation/HiveNightMare/HiveNightmare-LR.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Carbon Black Cloud - HiveNightmare LiveResponse 4 | # Copyright VMware 2021 5 | # Ed Myers & Casey Parman 6 | # usage: HiveNightmare-LR.py [-h] [-m MACHINENAME] [-c] [-p] [-o ORGPROFILE] 7 | # 8 | # optional arguments: 9 | # -h, --help show this help message and exit 10 | # -m MACHINENAME, --hostname MACHINENAME 11 | # hostname to run host forensics recon on 12 | # -c, --check Check the system for the vulnerable SMBv3 13 | # Configuration 14 | # -p, --patch Mitigate the vulnerable system's SMBv3 configuration 15 | # by disabling compression 16 | # -o ORGPROFILE, --orgprofile ORGPROFILE 17 | # Select your cbapi credential profile 18 | 19 | import os, sys, time, argparse 20 | from cbapi.defense import * 21 | 22 | def live_response(cb, host=None, response=None): 23 | 24 | print ("") 25 | 26 | #Select the device you want to gather recon data from 27 | query_hostname = "hostNameExact:%s" % host 28 | print ("[ * ] Establishing LiveResponse Session with Remote Host:") 29 | 30 | #Create a new device object to launch LR on 31 | device = cb.select(Device).where(query_hostname).first() 32 | print(" - Hostname: {}".format(device.name)) 33 | print(" - OS Version: {}".format(device.osVersion)) 34 | print(" - Sensor Version: {}".format(device.sensorVersion)) 35 | print(" - AntiVirus Status: {}".format(device.avStatus)) 36 | print(" - Internal IP Address: {}".format(device.lastInternalIpAddress)) 37 | print(" - External IP Address: {}".format(device.lastExternalIpAddress)) 38 | print ("") 39 | 40 | #Execute our LR session 41 | with device.lr_session() as lr_session: 42 | print ("[ * ] Uploading HiveNightmare.ps1 to the remote host") 43 | lr_session.put_file(open("HiveNightmare.ps1", "rb"), "C:\\Program Files\\Confer\\temp\\HiveNightmare.ps1") 44 | 45 | if response == "patch": 46 | print ("[ * ] Mitigating the vulnerable system32\config files:") 47 | result = lr_session.create_process("powershell.exe -ExecutionPolicy Bypass -File .\\HiveNightmare.ps1 -mitigate", wait_for_output=True, remote_output_file_name=None, working_directory="C:\\Program Files\\Confer\\temp\\", wait_timeout=30, wait_for_completion=True).decode("utf-8") 48 | print ("") 49 | print("{}".format(result)) 50 | else: 51 | print ("[ * ] Checking the system for vulnerable system32\config files:") 52 | result = lr_session.create_process("powershell.exe -ExecutionPolicy Bypass -File .\\HiveNightmare.ps1", wait_for_output=True, remote_output_file_name=None, working_directory="C:\\Program Files\\Confer\\temp\\", wait_timeout=30, wait_for_completion=True).decode("utf-8") 53 | print ("") 54 | print("{}".format(result)) 55 | 56 | print ("[ * ] Removing HiveNightmare.ps1") 57 | lr_session.create_process("powershell.exe del .\\HiveNightmare.ps1", wait_for_output=False, remote_output_file_name=None, working_directory="C:\\Program Files\\Confer\\temp\\", wait_timeout=30, wait_for_completion=False) 58 | print ("") 59 | 60 | def main(): 61 | parser = argparse.ArgumentParser() 62 | parser.add_argument("--hostname", help = "hostname to run host forensics recon on") 63 | parser.add_argument("--check", help = "Check the system for the vulnerable system32\config files", action = "store_true") 64 | parser.add_argument("--mitigate", help = "Mitigate the vulnerable system's vulnerable system32\config files", action = "store_true") 65 | parser.add_argument('--orgprofile', help = "Select your cbapi credential profile", dest = "orgprofile", default = "default") 66 | args = parser.parse_args() 67 | 68 | #Create the CbD LR API object 69 | profile = CbDefenseAPI(profile="{}".format(args.orgprofile)) 70 | cb_url = profile.credentials.url 71 | cb_token = profile.credentials.token 72 | cb_org_key = profile.credentials.org_key 73 | cb_ssl = "True" 74 | cb = CbDefenseAPI(url=cb_url, token=cb_token, orgId=cb_org_key, ssl_verify=cb_ssl) 75 | 76 | if args.hostname: 77 | if args.mitigate: 78 | live_response(cb, host=args.hostname, response="patch") 79 | else: 80 | live_response(cb, host=args.hostname, response="check") 81 | else: 82 | print ("[ ! ] You must specify a hostname with a --hostname parameter. IE ./HiveNightmare-LR.py --hostname cheese") 83 | 84 | if __name__ == "__main__": 85 | main() 86 | -------------------------------------------------------------------------------- /remediation/MS-ADV200006/MS-ADV200006.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Carbon Black Cloud - MS-ADV200006 LiveResponse 4 | # Copyright VMware 2020 5 | # March 2020 6 | # Version 0.1 7 | # gfoss [at] vmware . com 8 | # 9 | # usage: MS-ADV200006.py [-h] [-m MACHINENAME] [-c] [-p] [-o ORGPROFILE] 10 | # 11 | # optional arguments: 12 | # -h, --help show this help message and exit 13 | # -m MACHINENAME, --machinename MACHINENAME 14 | # machinename to run host forensics recon on 15 | # -c, --check Check the system for the vulnerable SMBv3 16 | # Configuration 17 | # -p, --patch Mitigate the vulnerable system's SMBv3 configuration 18 | # by disabling compression 19 | # -o ORGPROFILE, --orgprofile ORGPROFILE 20 | # Select your cbapi credential profile 21 | 22 | import os, sys, time, argparse 23 | from cbapi.defense import * 24 | 25 | def live_response(cb, host=None, response=None): 26 | 27 | print ("") 28 | 29 | #Select the device you want to gather recon data from 30 | query_hostname = "hostNameExact:%s" % host 31 | print ("[ * ] Establishing LiveResponse Session with Remote Host:") 32 | 33 | #Create a new device object to launch LR on 34 | device = cb.select(Device).where(query_hostname).first() 35 | print(" - Hostname: {}".format(device.name)) 36 | print(" - OS Version: {}".format(device.osVersion)) 37 | print(" - Sensor Version: {}".format(device.sensorVersion)) 38 | print(" - AntiVirus Status: {}".format(device.avStatus)) 39 | print(" - Internal IP Address: {}".format(device.lastInternalIpAddress)) 40 | print(" - External IP Address: {}".format(device.lastExternalIpAddress)) 41 | print ("") 42 | 43 | #Execute our LR session 44 | with device.lr_session() as lr_session: 45 | print ("[ * ] Uploading MS-ADV200006.ps1 to the remote host") 46 | lr_session.put_file(open("MS-ADV200006.ps1", "rb"), "C:\\Program Files\\Confer\\temp\\MS-ADV200006.ps1") 47 | 48 | if response == "patch": 49 | print ("[ * ] Patching the vulnerable SMBv3 configuration by disabling compression:") 50 | result = lr_session.create_process("powershell.exe -ExecutionPolicy Bypass -File .\\MS-ADV200006.ps1 -mitigate", wait_for_output=True, remote_output_file_name=None, working_directory="C:\\Program Files\\Confer\\temp\\", wait_timeout=30, wait_for_completion=True).decode("utf-8") 51 | print ("") 52 | print("{}".format(result)) 53 | else: 54 | print ("[ * ] Checking the system for vulnerable SMBv3 configuration:") 55 | result = lr_session.create_process("powershell.exe -ExecutionPolicy Bypass -File .\\MS-ADV200006.ps1", wait_for_output=True, remote_output_file_name=None, working_directory="C:\\Program Files\\Confer\\temp\\", wait_timeout=30, wait_for_completion=True).decode("utf-8") 56 | print ("") 57 | print("{}".format(result)) 58 | 59 | print ("[ * ] Removing MS-ADV200006.ps1") 60 | lr_session.create_process("powershell.exe del .\\MS-ADV200006.ps1", wait_for_output=False, remote_output_file_name=None, working_directory="C:\\Program Files\\Confer\\temp\\", wait_timeout=30, wait_for_completion=False) 61 | print ("") 62 | 63 | def main(): 64 | parser = argparse.ArgumentParser() 65 | parser.add_argument("-m", "--machinename", help = "machinename to run host forensics recon on") 66 | parser.add_argument("-c", "--check", help = "Check the system for the vulnerable SMBv3 Configuration", action = "store_true") 67 | parser.add_argument("-p", "--patch", help = "Mitigate the vulnerable system's SMBv3 configuration by disabling compression", action = "store_true") 68 | parser.add_argument('-o', '--orgprofile', help = "Select your cbapi credential profile", dest = "orgprofile", default = "default") 69 | args = parser.parse_args() 70 | 71 | #Create the CbD LR API object 72 | profile = CbDefenseAPI(profile="{}".format(args.orgprofile)) 73 | cb_url = profile.credentials.url 74 | cb_token = profile.credentials.token 75 | cb_org_key = profile.credentials.org_key 76 | cb_ssl = "True" 77 | cb = CbDefenseAPI(url=cb_url, token=cb_token, orgId=cb_org_key, ssl_verify=cb_ssl) 78 | 79 | if args.machinename: 80 | if args.patch: 81 | live_response(cb, host=args.machinename, response="patch") 82 | else: 83 | live_response(cb, host=args.machinename, response="check") 84 | else: 85 | print ("[ ! ] You must specify a machinename with a --machinename parameter. IE ./MS-ADV200006.py --machinename cheese") 86 | 87 | if __name__ == "__main__": 88 | main() 89 | -------------------------------------------------------------------------------- /remediation/EternalDarkness/EternalDarkness-LR.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Carbon Black Cloud - EternalDarkness LiveResponse 4 | # Copyright VMware 2020 5 | # March 2020 6 | # Version 0.1 7 | # gfoss [at] vmware . com 8 | # 9 | # usage: EternalDarkness-LR.py [-h] [-m MACHINENAME] [-c] [-p] [-o ORGPROFILE] 10 | # 11 | # optional arguments: 12 | # -h, --help show this help message and exit 13 | # -m MACHINENAME, --machinename MACHINENAME 14 | # machinename to run host forensics recon on 15 | # -c, --check Check the system for the vulnerable SMBv3 16 | # Configuration 17 | # -p, --patch Mitigate the vulnerable system's SMBv3 configuration 18 | # by disabling compression 19 | # -o ORGPROFILE, --orgprofile ORGPROFILE 20 | # Select your cbapi credential profile 21 | 22 | import os, sys, time, argparse 23 | from cbapi.defense import * 24 | 25 | def live_response(cb, host=None, response=None): 26 | 27 | print ("") 28 | 29 | #Select the device you want to gather recon data from 30 | query_hostname = "hostNameExact:%s" % host 31 | print ("[ * ] Establishing LiveResponse Session with Remote Host:") 32 | 33 | #Create a new device object to launch LR on 34 | device = cb.select(Device).where(query_hostname).first() 35 | print(" - Hostname: {}".format(device.name)) 36 | print(" - OS Version: {}".format(device.osVersion)) 37 | print(" - Sensor Version: {}".format(device.sensorVersion)) 38 | print(" - AntiVirus Status: {}".format(device.avStatus)) 39 | print(" - Internal IP Address: {}".format(device.lastInternalIpAddress)) 40 | print(" - External IP Address: {}".format(device.lastExternalIpAddress)) 41 | print ("") 42 | 43 | #Execute our LR session 44 | with device.lr_session() as lr_session: 45 | print ("[ * ] Uploading EternalDarkness.ps1 to the remote host") 46 | lr_session.put_file(open("EternalDarkness.ps1", "rb"), "C:\\Program Files\\Confer\\temp\\EternalDarkness.ps1") 47 | 48 | if response == "patch": 49 | print ("[ * ] Patching the vulnerable SMBv3 configuration by disabling compression:") 50 | result = lr_session.create_process("powershell.exe -ExecutionPolicy Bypass -File .\\EternalDarkness.ps1 -mitigate", wait_for_output=True, remote_output_file_name=None, working_directory="C:\\Program Files\\Confer\\temp\\", wait_timeout=30, wait_for_completion=True).decode("utf-8") 51 | print ("") 52 | print("{}".format(result)) 53 | else: 54 | print ("[ * ] Checking the system for vulnerable SMBv3 configuration:") 55 | result = lr_session.create_process("powershell.exe -ExecutionPolicy Bypass -File .\\EternalDarkness.ps1", wait_for_output=True, remote_output_file_name=None, working_directory="C:\\Program Files\\Confer\\temp\\", wait_timeout=30, wait_for_completion=True).decode("utf-8") 56 | print ("") 57 | print("{}".format(result)) 58 | 59 | print ("[ * ] Removing EternalDarkness.ps1") 60 | lr_session.create_process("powershell.exe del .\\EternalDarkness.ps1", wait_for_output=False, remote_output_file_name=None, working_directory="C:\\Program Files\\Confer\\temp\\", wait_timeout=30, wait_for_completion=False) 61 | print ("") 62 | 63 | def main(): 64 | parser = argparse.ArgumentParser() 65 | parser.add_argument("-m", "--machinename", help = "machinename to run host forensics recon on") 66 | parser.add_argument("-c", "--check", help = "Check the system for the vulnerable SMBv3 Configuration", action = "store_true") 67 | parser.add_argument("-p", "--patch", help = "Mitigate the vulnerable system's SMBv3 configuration by disabling compression", action = "store_true") 68 | parser.add_argument('-o', '--orgprofile', help = "Select your cbapi credential profile", dest = "orgprofile", default = "default") 69 | args = parser.parse_args() 70 | 71 | #Create the CbD LR API object 72 | profile = CbDefenseAPI(profile="{}".format(args.orgprofile)) 73 | cb_url = profile.credentials.url 74 | cb_token = profile.credentials.token 75 | cb_org_key = profile.credentials.org_key 76 | cb_ssl = "True" 77 | cb = CbDefenseAPI(url=cb_url, token=cb_token, orgId=cb_org_key, ssl_verify=cb_ssl) 78 | 79 | if args.machinename: 80 | if args.patch: 81 | live_response(cb, host=args.machinename, response="patch") 82 | else: 83 | live_response(cb, host=args.machinename, response="check") 84 | else: 85 | print ("[ ! ] You must specify a machinename with a --machinename parameter. IE ./EternalDarkness-LR.py --machinename cheese") 86 | 87 | if __name__ == "__main__": 88 | main() 89 | -------------------------------------------------------------------------------- /threat_hunting/CB-Command_R/cb-command_r.py: -------------------------------------------------------------------------------- 1 | #!/usr/env python 2 | 3 | # CB-Command_R 4 | # Carbon Black Response - Mass Command Line Data Extractor 5 | # gfoss[at]carbonblack.com 6 | # March, 2019 7 | 8 | import sys, time, argparse, requests, json, threading, thread 9 | from config import active 10 | 11 | global_lock = threading.Lock() 12 | file_contents = [] 13 | 14 | def parse_all_things(): 15 | parser = argparse.ArgumentParser(description = 'Multithreaded large-scale Carbon Black Response Command Line Data Extraction') 16 | parser.add_argument('-q', '--query', help = 'Carbon Black Response Query - Default: (process_name:cmd.exe)', default='process_name:cmd.exe', dest='query') 17 | parser.add_argument('-t', '--threads', help = 'Number of simultaneous threads - Default: 25', default='25', dest='threads') 18 | parser.add_argument('-r', '--rows', help = 'Rows per thread (USE MULTIPLES OF 10!) - Default: 1000', default='1000', dest='rows') 19 | parser.add_argument('-s', '--start', help = 'Select the starting row - Default: 0', default='0', dest='start') 20 | parser.add_argument('-f', '--filename', help = 'Output results - Default: commands.txt', default='commands.txt', dest='filename', ) 21 | # 22 | # usage: cb-command_r.py [-h] [-q QUERY] [-t THREADS] [-r ROWS] [-s START] [-f FILENAME] 23 | # 24 | # Multithreaded large-scale Carbon Black Response Commandline Data Extraction 25 | # 26 | # optional arguments: 27 | # -h, --help show this help message and exit 28 | # -q QUERY, --query QUERY 29 | # Carbon Black Response Query 30 | # Default: (process_name:cmd.exe) 31 | # -t THREADS, --threads THREADS 32 | # Number of simultaneous threads 33 | # Default: 25 34 | # -r ROWS, --rows ROWS 35 | # Rows per thread (USE MULTIPLES OF 10!) 36 | # Default: 1000 37 | # -s START, --start START 38 | # Select the starting row 39 | # Default: 0 40 | # -f FILENAME, --filename FILENAME 41 | # Output results 42 | # Default: commands.txt 43 | # 44 | return parser 45 | 46 | def extractor(parser, args, start_count): 47 | url = active['url'] 48 | api_key = active['key'] 49 | 50 | query = args.query 51 | querystring = {"q":args.query,"rows":args.rows,"start":start_count} 52 | 53 | payload = "" 54 | headers = { 'X-Auth-Token': api_key } 55 | 56 | # If you receieve SSL certificate errors, add ", verify=False" to the below request 57 | response = requests.request("GET", url, data=payload, headers=headers, params=querystring) 58 | data = json.loads(response.content) 59 | 60 | if int(args.threads) > 1: 61 | 62 | while global_lock.locked(): 63 | continue 64 | 65 | global_lock.acquire() 66 | rows = int(args.rows) 67 | for num in range(rows): 68 | datas = (data['results'][num]['cmdline']).encode('utf8') 69 | file_contents.append(datas) 70 | global_lock.release() 71 | 72 | else: 73 | 74 | orig_stdout = sys.stdout 75 | f = open(args.filename, 'a') 76 | sys.stdout = f 77 | rows = int(args.rows) 78 | for num in range(rows): 79 | print (data['results'][num]['cmdline']).encode('utf8') 80 | sys.stdout = orig_stdout 81 | f.close() 82 | 83 | def main(): 84 | 85 | print ''' 86 | ________ _____ __ ___ 87 | / ___/ _ )____/ ___/__ __ _ __ _ ___ ____ ___/ / / _ \\ 88 | / /__/ _ /___/ /__/ _ \\/ \' \\/ \' \\/ _ `/ _ \\/ _ / / , _/ 89 | \\___/____/ \\___/\\___/_/_/_/_/_/_/\\_,_/_//_/\\_,_/__/_/|_| 90 | /___/ 91 | ''' 92 | 93 | parser = parse_all_things() 94 | args = parser.parse_args() 95 | 96 | thread_count = args.threads 97 | start_count = args.start 98 | rows = args.rows 99 | 100 | if int(thread_count) > 1: 101 | 102 | print 'Extracting the last ' + thread_count + str(rows)[1:] + ' commands related to: ' + args.query 103 | print 'Running with ' + thread_count + ' threads!' 104 | print '' 105 | thread_count = int(thread_count) 106 | 107 | threads = [] 108 | for num in range(thread_count): 109 | iteration = str(rows)[1:] 110 | start_count = str(num) + iteration 111 | print 'Pulling ' + start_count + ' rows of command line data' 112 | t = threading.Thread(target=extractor, args=(parser,args,start_count,)) 113 | threads.append(t) 114 | t.start() 115 | [thread.join() for thread in threads] 116 | 117 | with open(args.filename, 'a+') as file: 118 | file.write('\n'.join(file_contents)) 119 | file.close() 120 | 121 | print '' 122 | print 'Writing output to ' + args.filename 123 | print '' 124 | 125 | else: 126 | print "Making a single API request for " + rows + " records..." 127 | extractor(parser, args, start_count) 128 | 129 | print '' 130 | print 'Writing output to ' + args.filename 131 | print '' 132 | 133 | if __name__ == "__main__": 134 | main() 135 | -------------------------------------------------------------------------------- /threat_emulation/Invoke-APT29/README.MD: -------------------------------------------------------------------------------- 1 | ## Invoke-APT29 2 | 3 | PowerShell Framework to allow for quick and easy simulation and cleanup of the known MITRE ATT&CK TIDs associated with APT29 (Cozy Bear) 4 | 5 | #### About 6 | 7 | Invoke-APT29 is an amalgamation of attack simulations specific to Cozy Bear that are included in the Atomic Red Team framework along with various custom-developed and augmented attack tests. 8 | 9 | TID -- Technique, Details 10 | ======================================== 11 | T1015 -- Accessibility Features, APT29 used sticky-keys to obtain unauthenticated, privileged console access 12 | T1088 -- Bypass User Account Control, APT29 has bypassed UAC 13 | T1172 -- Domain Fronting, APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic 14 | T1203 -- Exploitation for Client Execution, APT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution 15 | T1070 -- Indicator Removal on Host, APT29 used SDelete to remove artifacts from victims 16 | T1188 -- Multi-hop Proxy, A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) 17 | T1075 -- Pass the Hash, APT29 used Kerberos ticket attacks for lateral movement 18 | T1086 -- PowerShell, APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke and evade defenses 19 | T1060 -- Registry Run Keys / Startup Folder, APT29 added Registry Run keys to establish persistence 20 | T1053 -- Scheduled Task, APT29 used named and hijacked scheduled tasks to establish persistence 21 | T1064 -- Scripting, APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses 22 | T1045 -- Software Packing, APT29 used UPX to pack files 23 | T1193 -- Spearphishing Attachment, APT29 has used spearphishing with an attachment to deliver files with exploits to initial victims 24 | T1192 -- Spearphishing Link, APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files 25 | T1204 -- User Execution, APT29 has used various forms of spearphishing attempting to get a user to open links or attachments 26 | T1047 -- Windows Management Instrumentation, APT29 used WMI to steal credentials and execute backdoors at a future time 27 | T1084 -- Windows Management Instrumentation Event Subscription, APT29 has used WMI event filters to establish persistence 28 | T1114 -- Email Collection from a local Outlook instance. APT29 collected and exfiltrated emails in the infamous DNC hack 29 | T1043 -- Commonly Used Port, APT29 has used Port Number 443 for C2 30 | T1027 -- Obfuscated Files or Information, APT29 uses PowerShell to use Base64 for obfuscation 31 | T1097 -- Pass the Ticket, APT29 used Kerberos ticket attacks for lateral movement 32 | T1085 -- Rundll32, APT29 has used rundll32.exe for execution 33 | T1023 -- Shortcut Modification, APT29 drops a Windows shortcut file for execution 34 | T1095 -- Standard Non-Application Layer Protocol, APT29 uses TCP for C2 communications 35 | 36 | #### Usage 37 | 38 | Import the module 39 | PS C:\> Import-Module .\apt29.ps1 40 | 41 | Show the help menu: 42 | PS C:\> Invoke-APT29 -help 43 | 44 | List all available simulation techniques - based on MITRE TID's 45 | PS C:\> Invoke-APT29 -listTechniques 46 | 47 | Search TIDs, attacks, tools, etc. 48 | PS C:\> Invoke-APT29 -search 49 | 50 | Establish a reverse shell - note to replace the PowerShell command here to point to your C2 instance 51 | PS C:\> Invoke-APT29 -shell 52 | Variants of this attack are -empire -meterpreter, -rundll32, and -mshta 53 | 54 | Show APT29-related information for a specific TID 55 | PS C:\> Invoke-APT29 - -about 56 | This will display MITRE ATT&CK information about the TID and simulation instructions 57 | 58 | List the available options for a given technique 59 | PS C:\> Invoke-APT29 - -listVariants 60 | This will display a list of variants associated with the given technique. 61 | When running the attack, use the listed number to call the associated attack technique. 62 | 63 | Simulate an attack 64 | PS C:\> Invoke-APT29 - -attack -variant 65 | If the technique only has a single variant, just use the -attack flag 66 | PS C:\> Invoke-APT29 - -attack 67 | 68 | Cleanup after an attack simulation 69 | PS C:\> Invoke-APT29 - -cleanup 70 | Only necessary when the technique utilizes persistence or makes changes to the disk. 71 | Most techniques do not have an associated cleanup option 72 | 73 | #### Thanks 74 | 75 | [MITRE ATT&CK](https://attack.mitre.org/) for the detailed analysis and information on [APT29](https://attack.mitre.org/groups/G0016/) 76 | 77 | [Red Canary](https://redcanary.com/) for the following [Atomic Red Team](https://atomicredteam.io/) tests leveraged in this framework: 78 | 79 | T1015, T1088, T1070, T1060, T1053, T1056, T1193, T1047, T1084, T1114, T1027, T1097, T1085, T1023 80 | 81 | -------------------------------------------------------------------------------- /remediation/MS-ADV200006/MS-ADV200006.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This detects and mitigates if systems are vulnerable to Microsoft Security Adivsory ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability 4 | 5 | .DESCRIPTION 6 | This script will identify if a machine prior to Windows 10 has the Adobe Type Manager Library enabled by querying the registry, and optionally set mitigating registry keys to disable the Adobe Type Manager Library. 7 | 8 | .PARAMETER mitigate 9 | The parameter mitigate is used to apply the recommenced mitigations. 10 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006 11 | 12 | .PARAMETER backout 13 | The parameter backout is used to remove the recommenced mitigations. 14 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006 15 | 16 | .EXAMPLE 17 | The example below mitigates the system if vulnerable to Microsoft Security Advisory ADV200006, Requires running as Admin 18 | PS C:\> ./ADV200006.ps1 -mitigate 19 | 20 | .EXAMPLE 21 | The example below checks if the system is vulnerable to Microsoft Security Advisory ADV200006 22 | PS C:\> ./ADV200006.ps1 23 | 24 | .NOTES 25 | Author: Casey Parman 26 | Last Edit: 2020-03-11 27 | Version 1.0 - initial release 28 | Copyright VMware 2020 29 | #> 30 | param 31 | ( 32 | [switch]$mitigate, 33 | [switch]$backout 34 | ) 35 | 36 | 37 | 38 | If ([environment]::OSVersion.Version.Major -eq 10) 39 | { 40 | Write-Host -ForegroundColor Green "----------------------------------------------------------------------------------" 41 | Write-Host -ForegroundColor Green "-- Microsoft does not recommend mitigations for Windows 10 systems --" 42 | Write-Host -ForegroundColor Green "-- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006 --" 43 | Write-Host -ForegroundColor Green "----------------------------------------------------------------------------------" 44 | Exit 0 45 | } 46 | 47 | $KB = "KB NOT YET RELEASED" 48 | write-host -ForegroundColor DarkRed ">>> $KB" 49 | 50 | if ((get-wmiobject -class win32_quickfixengineering | FL HotFixID) -contains $KB ) { $patchstate = $true; } else { $patchstate = $false; } 51 | 52 | If ( $backout ) { 53 | Write-Host -ForegroundColor Red "---------------------------------------" 54 | try { 55 | if ( (Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" -Name DisableATMFD) -eq 1 ) { 56 | Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" -Name DisableATMFD 57 | Write-Host -ForegroundColor Red "-- Mitigation removed --" 58 | } Else { 59 | Write-Host -ForegroundColor Red "-- No mitigation to remove, skipping --" 60 | } 61 | } catch { 62 | Write-Host -ForegroundColor Red "-- No mitigation to remove, skipping --" 63 | } 64 | Write-Host -ForegroundColor Red "---------------------------------------" 65 | } 66 | 67 | If ( $patchstate -eq $true ) { 68 | Write-Host -ForegroundColor Green "------------------" 69 | Write-Host -ForegroundColor Green "--Not Vulnerable--" 70 | Write-Host -ForegroundColor Green "------------------" 71 | Exit 0 72 | } 73 | 74 | If ( $patchstate -eq $false ) { 75 | Write-Host -ForegroundColor Red "-------------------" 76 | Write-Host -ForegroundColor Red "-- Patch Missing --" 77 | Write-Host -ForegroundColor Red "-------------------" 78 | try { 79 | if ( (Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" -Name DisableATMFD) -eq 1 ) { 80 | Write-Host -ForegroundColor Green "----------------------" 81 | Write-Host -ForegroundColor Green "-- System Mitigated --" 82 | Write-Host -ForegroundColor Green "----------------------" 83 | Exit 0 84 | } Else { 85 | throw "wrong registry value" 86 | } 87 | } catch { 88 | If ($mitigate) 89 | { 90 | If (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) 91 | { 92 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" DisableATMFD -Type DWORD -Value 1 -Force 93 | Write-Host -ForegroundColor Green "----------------------" 94 | Write-Host -ForegroundColor Green "-- System Mitigated --" 95 | Write-Host -ForegroundColor Green "----------------------" 96 | } Else { 97 | Write-Host -ForegroundColor Red "Run in elevated prompt" 98 | } 99 | } Else { 100 | Write-Host -ForegroundColor Red "--------------------------------------" 101 | Write-Host -ForegroundColor Red "-----------Vulnerable-----------------" 102 | Write-Host -ForegroundColor Red "--------------------------------------" 103 | Write-Host -ForegroundColor Red "-- mitigate with -mitigate argument --" 104 | Write-Host -ForegroundColor Red "--------------------------------------" 105 | } 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /threat_hunting/yara/tau_winnti_public.yara: -------------------------------------------------------------------------------- 1 | rule winnti_dropper_x64_libtomcrypt_fns : TAU CN APT 2 | { 3 | meta: 4 | author = "CarbonBlack Threat Research" // tharuyama 5 | date = "2019-08-26" 6 | description = "Designed to catch winnti 4.0 loader and hack tool x64" 7 | rule_version = 1 8 | yara_version = "3.8.1" 9 | Confidence = "Prod" 10 | Priority = "High" 11 | TLP = "White" 12 | exemplar_hashes = "5ebf39d614c22e750bb8dbfa3bcb600756dd3b36929755db9b577d2b653cd2d1" 13 | sample_md5 = "794E127D627B3AF9015396810A35AF1C" 14 | 15 | strings: 16 | // fn_register_libtomcrypt 17 | $0x140001820 = { 48 83 EC 28 83 3D ?? ?? ?? ?? 00 } 18 | $0x140001831 = { 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 FF } 19 | $0x140001842 = { B8 0B 00 E0 0C 48 83 C4 28 C3 } 20 | $0x14000184c = { 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 FF } 21 | $0x140001881 = { B8 0C 00 E0 0C 48 83 C4 28 C3 } 22 | $0x14000188b = { 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 FF } 23 | $0x1400018e4 = { B8 0D 00 E0 0C 48 83 C4 28 C3 } 24 | $0x1400018ee = { 48 8D 0D ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 41 B8 A0 01 00 00 E8 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 01 00 00 00 } 25 | $0x140001911 = { 33 C0 48 83 C4 28 C3 } 26 | // fn_decrypt_PE 27 | $0x140001670 = { 40 55 56 57 41 55 41 56 41 57 B8 38 12 00 00 E8 ?? ?? ?? ?? 48 2B E0 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 84 24 10 12 00 00 48 8B AC 24 90 12 00 00 4C 8B B4 24 A0 12 00 00 45 33 FF 44 39 3D ?? ?? ?? ?? 49 8B F1 41 0F B7 F8 4C 8B EA 44 8B D9 66 44 89 7C 24 40 } 28 | $0x1400016c8 = { B8 01 00 E0 0C } 29 | $0x1400016d2 = { 48 89 9C 24 30 12 00 00 4D 85 C9 } 30 | $0x1400016ec = { 8B 9C 24 98 12 00 00 83 FB 01 } 31 | $0x1400016fc = { 48 8D 54 24 40 } 32 | $0x140001701 = { 4C 89 A4 24 28 12 00 00 E8 ?? ?? ?? ?? 44 0F B7 64 24 40 66 44 3B E7 } 33 | $0x140001727 = { 48 8D 54 24 40 41 8B CB E8 ?? ?? ?? ?? 0F B7 94 24 A8 12 00 00 66 39 54 24 40 } 34 | $0x140001750 = { 41 8B CB E8 ?? ?? ?? ?? 8B F8 83 F8 FF } 35 | $0x14000175f = { B8 0F 00 E0 0C } 36 | $0x140001764 = { 4C 8B A4 24 28 12 00 00 } 37 | $0x14000176c = { 48 8B 9C 24 30 12 00 00 } 38 | $0x140001774 = { 48 8B 8C 24 10 12 00 00 48 33 CC E8 ?? ?? ?? ?? 48 81 C4 38 12 00 00 41 5F 41 5E 41 5D 5F 5E 5D C3 } 39 | $0x140001795 = { 48 8D 4C 24 54 33 D2 41 B8 B4 11 00 00 44 89 7C 24 50 E8 ?? ?? ?? ?? 48 8D 44 24 50 48 89 44 24 30 45 0F B7 CC 4D 8B C5 49 8B D6 8B CF 44 89 7C 24 28 44 89 7C 24 20 E8 ?? ?? ?? ?? 85 C0 } 40 | $0x1400017d5 = { 4C 8D 4C 24 50 44 8B C3 48 8B D5 48 8B CE E8 ?? ?? ?? ?? 48 8D 4C 24 50 8B D8 E8 ?? ?? ?? ?? 8B C3 } 41 | $0x1400017fb = { B8 04 00 E0 0C } 42 | $0x140001805 = { B8 03 00 E0 0C } 43 | $0x14000180f = { B8 02 00 E0 0C } 44 | 45 | condition: 46 | all of them 47 | } 48 | 49 | rule winnti_dropper_x86_libtomcrypt_fns : TAU CN APT 50 | { 51 | meta: 52 | author = "CarbonBlack Threat Research" // tharuyama 53 | date = "2019-08-26" 54 | description = "Designed to catch winnti 4.0 loader and hack tool x86" 55 | rule_version = 1 56 | yara_version = "3.8.1" 57 | Confidence = "Prod" 58 | Priority = "High" 59 | TLP = "White" 60 | exemplar_hashes = "0fdcbd59d6ad41dda9ae8bab8fad9d49b1357282027e333f6894c9a92d0333b3" 61 | sample_md5 = "da3b64ec6468a4ec56f977afb89661b1" 62 | 63 | strings: 64 | // fn_register_libtomcrypt 65 | $0x401d20 = { 8B 0D ?? ?? ?? ?? 33 C0 85 C9 } 66 | $0x401d30 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 04 83 F8 ?? } 67 | $0x401d46 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 10 83 F8 ?? } 68 | $0x401d76 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 1C 83 F8 ?? } 69 | $0x401dc4 = { 56 57 B9 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 33 C0 F3 A5 5F C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 5E C3 } 70 | // fn_decrypt_PE 71 | $0x401bd0 = { 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 53 56 57 85 C0 C7 45 FC ?? ?? ?? ?? } 72 | $0x401bf4 = { 8B 45 14 85 C0 } 73 | $0x401bff = { 8B 45 18 85 C0 } 74 | $0x401c14 = { 8B 7D 08 8D 45 FC 50 57 E8 ?? ?? ?? ?? 8B 75 ?? 83 C4 08 66 } 75 | $0x401c31 = { 8B 45 0C 85 C0 } 76 | $0x401c3c = { 8D 4D FC 51 57 E8 ?? ?? ?? ?? 66 8B 55 FC 83 C4 08 66 3B 55 24 } 77 | $0x401c57 = { 8B 5D 20 85 DB } 78 | $0x401c62 = { 57 E8 ?? ?? ?? ?? 8B D0 83 C4 04 83 FA ?? } 79 | $0x401c72 = { B9 ?? ?? ?? ?? 33 C0 8D BD 48 EE FF FF C7 85 44 EE FF FF ?? ?? ?? ?? F3 AB 8B 4D 0C 8D 85 44 EE FF FF 50 6A ?? 81 E6 FF FF 00 00 6A ?? 56 51 53 52 E8 ?? ?? ?? ?? 83 C4 1C 85 C0 } 80 | $0x401caf = { 8B 45 1C 8B 4D 18 8D 95 44 EE FF FF 52 8B 55 14 50 51 52 E8 ?? ?? ?? ?? 8B F0 8D 85 44 EE FF FF 50 E8 ?? ?? ?? ?? 83 C4 14 8B C6 5F 5E 5B 8B E5 5D C3 } 81 | $0x401ce1 = { 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 } 82 | $0x401ced = { 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 } 83 | $0x401cf9 = { 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 } 84 | $0x401d05 = { 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 } 85 | $0x401d16 = { 5F 5E 5B 8B E5 5D C3 } 86 | 87 | condition: 88 | all of them 89 | } 90 | 91 | -------------------------------------------------------------------------------- /threat_hunting/IOCs/shlayer/hashes-iocs.txt: -------------------------------------------------------------------------------- 1 | fd30ef485adc2a9d4a26e20b2f32cc37e1299e2f1eff4d0b30ccc2e481a9f281,136a08bef2b6a4e51fcc8b35ee21935a 2 | 5006b352cecafdd4df49a8bf9d60a940c2dfc89fe86851f2548dbfe0ec6db922,ce43184c39fb347cca95ec74f53dd45d 3 | 53ff1f062d4ac7ac8271ceea4bf5b911f992e55b23531bdd87943dbc3594f59b,7ceb17c99a30d642438d4cf336160634 4 | c1046768a19bfbd2aa9492443d8cbac8dc310073587c907553967b4d24fbabf8,fe7ed909dc974d3383c9e840bf60dc3b 5 | 5982a969f1cff3880538b6dbfa813312b59bc536ef91e9f8b506dd2c4ce1a132,9c12864507cb278c6f8870a2e8120da5 6 | 6d8bc0896eddb994a53424ec4ce9b705a4f0f8df86c6f8572a08f3c49f56623e,fceda183d84477027f44c59d83405597 7 | 0d0d7ff140f892129789da2446474837480fa71e95462139673d7f3f648df5df,c19d247ad5a9f4fe44366a8345dee3ad 8 | a3af79d42b9917d73a6f896a48682f74f91c00929f80ee77d6a0fa7ad3552de1,9059044f5b2362a03d2eccecf1bcad87 9 | 18bba2995ffe6c14c5b7c515dd92cef8db5f56099e298f2581e43764df55276c,74ecf6892135890efdf5552ac006e36a 10 | f960bad1b78a3ac8217aa9223c2228dd8479acdca29a6e4c6d2d620d122d6237,3d218a55054008dcd75f0646e9d19411 11 | 35a4b126fd13c95e25d08edb745aeec5a3a4b3bc01705fc0e003156f831e3c0a,e37698f258d73e7ddf5696fa73eaf8d5 12 | 513cd785513bbf45c424144378ffa80fa21685de30a85940bf82f2db72a8560d,327a994483d67f6b14f884e17feb4f3c 13 | c43fdfc0658177fd4a570495ca9917b1a9d9e21088efdd3326232e15cc19cabe,aa64d69250acf2e0181763f75c5d75d6 14 | df67759101e803baf9efc18da9907fe4cda1e088667434ce548e1731d904f4d7,cb304cb44c087efd874ebedfd2315301 15 | 9817a479649a7573d223bc9d563f8bdfbf809aa104e7d78d09251086ea756814,1e7df7ae2601cc71dcd867b9bff876b5 16 | 59c7bb9c0200d4513119c9f52ecbf85ab5462f9fc924a55bf92bdd8ffa864abe,7d6b6e961527851c882407e11f93ea0e 17 | ddc9d36bc1641e0084c2eecd35f820692b9a1c8cdd09f1db5cb3cc32e0738e35,6014535031bd988ff2f3bd8ac60dc203 18 | 06b16f5d5cb7fb1646168267fe936b71e891c1b2bab0560c3f3c513d0526ee97,27aed07f2c7a45e0d4da7b5d2a8c7c64 19 | 6b3c540d03245bfcf5f64195025eaa53332eccd39c47a6d82de339fd218b34bb,d7bb1240038f07b84bc54631160c7a8d 20 | 7ac5da59868fe308e68d0375395b97a6237b362a4a4073b3288e5b5e5e53919e,0990f967610ec161ebb11bd4dad47652 21 | 8ad48b482dcd8d893dd8193acf2436383d9ddf65f55cf2ec47a4e0de3b2c22bf,8a4ce1973b7a1208b82b4e016462903c 22 | f639a800f8e68928b6ac613d4aaa1817a1c532fc581b715cc986cd833b11e7da,681ba69ff9a78b0fe1fa51268b48e5c2 23 | 66650d9eac1fd331991682c9fc6f932cb2c7595a0c16a1ed477ba8a2e6ee58e6,3759a005931511779694878807da3d47 24 | 05900d6bb07d0b80f96cf60f3384db65af7e27663db0fe9f9b09e504743f1fa0,60b105be4718cad66752d2900fb7918a 25 | d2f52f19a73481d8b7d0906cea8b44490bdc866d6945dc0ae826a56821aba90d,2c25685668f82d104db0b039c00c700f 26 | 12610ded5495bb0fd0309a855f398ab955af9d1382a5db53ee6cf88a26479a92,3fc0b9e00e5247eed5d104de019ee818 27 | a2ec5d9c80794c26a7eaac8586521f7b0eb24aba9ad393c194c86cfd150e5189,4b3ab1a5dccac06cc67856cde9b78885 28 | b53fab9dd4b473237a39895372aae51638b25d8f7a659c24d0a3cc21d03ef159,b490bdd3899fa6dc06787d49cb64b405 29 | fd93c08678392eae99a1281577a54875a0e1920c49cdea6d56b53dabc4597803,b7a66df8b280cef879de978501cbd12f 30 | 68d5629d6faeae646b2b6a0c6b607a8d0ce8d8798429f24c3b308ac552c27b28,3803d9dd1d4e6c7c4587ce7f80088ec9 31 | 23762000bb36adc0d95c3e589dfc2d81a766e9d37dce7e80bb591fee64491b63,47e5fa673370cec483492b1ed282966d 32 | 5eee6ea1f69c4e263afee5443a78a3da962d404de50ae762a399e43afa49424e,89b34f0dbb834e2dc338c52ba906b104 33 | d64e0989bf17e687b5f9fa11befb57405f4574a18c8a1312ba0f6c991daf101f,e446fd443eda8e0f17ddc3fd02f81fa3 34 | f5bb88b0a44902a8c5d5079453ffe06377460c9e8a0ce27ac8b08643aa3e52fa,99e4152951a11d82736b3ad6218f4664 35 | 5248b3612c51aceb8505af2d27ecea3da4f6a9d2203d25aefa5bd6015134110b,a654ae58ef9a44423f8237b6d5a667ac 36 | 92e8482a5b243db39eaf1d176a3a52b8974fb58c8d4804a9e04c0d66495d263d,8d55404f788478328110a2c513432101 37 | ac49889cb93ada0b247e4eb73900be3ee5e0ca09e07d04687fb467390a75a38e,b0c4dac5b092d1f58882109ea0046982 38 | d0dab4b3316dadc046d0145c1f12792e44a16588cdfa92527101d5878596acbb,b950303f1786b487a9714f8f6b08f0e6 39 | 0a371a0895677ce07c78c713f6eba87467a227834288f76757033d860b8eff1d,d80ef5d36fda12c006d898bf9018e47b 40 | f3bdd391436c80d391caafec7fcb493d5d8064abe71d32e646989c7f86484668,88c8c8249959b9c549b45ef83f963c1c 41 | d1e7d056a7fb70f44ad7f9d61a558291dd50d062f5fa0999c7baec2ec3f00ef2,d249af1fe63f4be9a21d56dc5475b02c 42 | ee17609feb45caf359f111097b63fa42c6fee3b0b7fa973fe6baeebfcc8163a2,3aa5fb43788f305ebb2b3c7fa4a425e1 43 | b372f7d2096a59e6bfedc2d747f118670094b5bf6255fa845b1ed81451a401a3,2a74697c90e45dd50bc11c7641f8a314 44 | ab2be4a6e4aa572b5fd677fc08a069610c047c737f0838014acb572b7f833633,5df9b50d8b008e1800d917d2fb5f13fc 45 | e5995fcc70cf6c6eb31f92da7a77f1cdfdf6a1eb00049bd2f198cf368917f17a,45cf495f8b0f88e8dcc3ac96aeed08a3 46 | 384ba00a4fcdd64f89ef6f5d974a04550014fdb9549ac6323756edcb4f91a7f3,79ccad8eec7f4b56377bf4ba4eea4bc0 47 | 52421c853a968ff562e67255881e45aeb6e3e29602b8da51d2278179038108db,83050f417cdf2be25cd6a639cdf90cc6 48 | cd9dc5f65656022e3622e829cdd35400b8ffeff1a9afc530fd0cb1dae248e24b,a550d1311620c8daad71ffd4562d1611 49 | 9ae8db4045a5fca5f03891900a14149a93ef5ca196afcf95ceb439b9aa5cd887,76a5c74b6efa7ab3dbc1e93519d71dff 50 | 29406614011bb311c6214cd800894c4dc93863cd4fcc7ecf9cf9050d250c86c9,37b4086cded912dcb4129f4831bea60c 51 | 01955d7aeaa49c9923caa4b4549d10a7029a8f9b3fdc2fd3e3e5fb0253caff6a,d1fa75b3137b3f215a32092fb4772eb5 52 | 2a8c73428b00b55a1a5eefe0600d84432c02da26543a6d0e4a009f294ce5275d 53 | 371d7ebd3790381f82fa857573c77cbed566a561e1e87597edb27b8eef7c1ae0,4880318d2183d55aafede257dfaa34fb 54 | 5006b352cecafdd4df49a8bf9d60a940c2dfc89fe86851f2548dbfe0ec6db922,ce43184c39fb347cca95ec74f53dd45d 55 | 8ad48b482dcd8d893dd8193acf2436383d9ddf65f55cf2ec47a4e0de3b2c22bf,8a4ce1973b7a1208b82b4e016462903c 56 | f1a474e443fb3418cb7fb557a548b62129262bb49a1c872a54b49319509f0f3d 57 | 3af051614694ca2ce1590e3c4bb54c80f99f0c0a281831b3d3847e772181e18b 58 | b9f02d6e341c8d1284331f8b1986fe641aa638e1524228947280e96c833e23ab 59 | 529995f4818b417ec1cd14438a489b78db8ae53a52d01bfb7c0cc49933be5393 60 | 4ded521f74812982835ad44efc097068fa9d8ddd7b95af5c929321b72db8853c 61 | a7063bf53e171b0c865f007fc75301375cd48b83db93b04b59a46c6f1fe735fb 62 | 398c700b8bfc3ebc3b031bc7594aabb413e90a0958b896a01999d1f78f364310 63 | 17b7c45dadb8f483e26140963f173ea5ddaf079f0996a25e251e1457447d7d34 64 | 71109177f129cdebf227e164a7edbc2fa8f5f265e182021d7d87823333f18ce9 65 | 3ea5fd07d05cdacfd2400c7a934053b448e1c570027525466207b268d56259db 66 | 00a6a7b519c4ff8f83d17f2a189b4bf5c0d9b687f6ab2eb83bdd98894272bac8 67 | 14292a33b6f6caa18c6d4df009f7630f69e80e0a725983508391a2e5648bb05c 68 | 5a44f8a82a0095393d13f25517c00f4ab2c7e337598c50d6f186eda14efd0514 69 | 583e397e780742be2a2b19f6e96ca3a2ec729bb8f6b6d73c1a994f699c005808 70 | 5795a95c513dbd0403b5601755a013f5e915bc7ed957c6695d439fd8fc7fa5ea 71 | b3a068b99ffdda13782c0339589d925f7c3d1f6641aa07488c6582a54f8d8cbf 72 | 0ed875162a3ff48d02d45e106eb9f8fb232238ec300713146c47c8a0d09dff85 73 | -------------------------------------------------------------------------------- /remediation/EternalDarkness/EternalDarkness.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This detects and mitigates if systems are vulnerable to CVE-2020-0796 EternalDarkness 4 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796 5 | 6 | .DESCRIPTION 7 | This script will identify if a machine has active SMB shares, is running an OS version impacted by this vulnerability, 8 | and check to see if the disabled compression mitigating keys are set and optionally set mitigating keys. 9 | 10 | .PARAMETER mitigate 11 | The parameter mitigate is used to apply the recommenced mitigation's. 12 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005 13 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796 14 | 15 | .EXAMPLE 16 | The example below mitigates the system if vulnerable to CVE-2020-0796 EternalDarkness, Requires running as Admin 17 | PS C:\> ./EternalDarkness -mitigate 18 | 19 | .EXAMPLE 20 | The example below checks if the system is vulnerable to CVE-2020-0796 EternalDarkness 21 | PS C:\> ./EternalDarkness.ps1 22 | 23 | .NOTES 24 | Author: Casey Parman 25 | Last Edit: 2020-03-11 26 | Version 1.0 - initial release 27 | Copyright VMware 2020 28 | #> 29 | param 30 | ( 31 | [switch]$mitigate 32 | ) 33 | 34 | $HotFIX = get-wmiobject -class win32_quickfixengineering | FL HotFixID 35 | If ($HotFIX -contains "KB4540673" -or $HotFIX -contains "KB4551762") 36 | { 37 | Write-Host -ForegroundColor Green "------------------" 38 | Write-Host -ForegroundColor Green "--System Patched--" 39 | Write-Host -ForegroundColor Green "------------------" 40 | return 41 | } Else 42 | { 43 | Write-Host -ForegroundColor Red "-----------------" 44 | Write-Host -ForegroundColor Red "--Patch Missing--" 45 | Write-Host -ForegroundColor Red "-----------------" 46 | } 47 | 48 | 49 | If ([environment]::OSVersion.Version.Major -eq 10) 50 | { 51 | If ([environment]::OSVersion.Version.Build -eq 18363 -or [environment]::OSVersion.Version.Build -eq 18362) 52 | { 53 | If (Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\LanmanServer\Shares) 54 | { 55 | If ((Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters").PSObject.Properties.Name -contains "DisableCompression") 56 | { 57 | ##Here we'll check to see the value, 58 | If ((Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -name DisableCompression) -eq 0) 59 | { 60 | If ($mitigate) 61 | { 62 | If (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) 63 | { 64 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force 65 | Write-Host -ForegroundColor Green "--------------------" 66 | Write-Host -ForegroundColor Green "--System Mitigated--" 67 | Write-Host -ForegroundColor Green "--------------------" 68 | 69 | } Else 70 | { 71 | Write-Host -ForegroundColor Red "Run in elevated prompt" 72 | } 73 | } Else 74 | { 75 | Write-Host -ForegroundColor Red "--------------------------------" 76 | Write-Host -ForegroundColor Red "-----------Vulnerable-----------" 77 | Write-Host -ForegroundColor Red "--------------------------------" 78 | Write-Host -ForegroundColor Red "mitigate with -mitigate argument" 79 | Write-Host -ForegroundColor Red "--------------------------------" 80 | } 81 | } Else 82 | { 83 | Write-Host -ForegroundColor Green "------------------" 84 | Write-Host -ForegroundColor Green "--Not Vulnerable--" 85 | Write-Host -ForegroundColor Green "------------------" 86 | } 87 | 88 | } Else 89 | { 90 | If ($mitigate) 91 | { 92 | If (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) 93 | { 94 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force 95 | Write-Host -ForegroundColor Green "--------------------" 96 | Write-Host -ForegroundColor Green "--System Mitigated--" 97 | Write-Host -ForegroundColor Green "--------------------" 98 | } Else 99 | { 100 | Write-Host -ForegroundColor Red "Run in elevated prompt" 101 | } 102 | } Else 103 | { 104 | Write-Host -ForegroundColor Red "--------------------------------" 105 | Write-Host -ForegroundColor Red "-----------Vulnerable-----------" 106 | Write-Host -ForegroundColor Red "--------------------------------" 107 | Write-Host -ForegroundColor Red "mitigate with -mitigate argument" 108 | Write-Host -ForegroundColor Red "--------------------------------" 109 | } 110 | } 111 | } Else 112 | { 113 | Write-Host -ForegroundColor Green "------------------" 114 | Write-Host -ForegroundColor Green "--Not Vulnerable--" 115 | Write-Host -ForegroundColor Green "------------------" 116 | } 117 | }Else 118 | { 119 | Write-Host -ForegroundColor Green "------------------" 120 | Write-Host -ForegroundColor Green "--Not Vulnerable--" 121 | Write-Host -ForegroundColor Green "------------------" 122 | } 123 | } Else { 124 | Write-Host -ForegroundColor Green "------------------" 125 | Write-Host -ForegroundColor Green "--Not Vulnerable--" 126 | Write-Host -ForegroundColor Green "------------------" 127 | 128 | } 129 | -------------------------------------------------------------------------------- /malware_specific/FancyBear/zebrocy_decrypt_artifact.py: -------------------------------------------------------------------------------- 1 | # zebrocy_decrypt_artifact.py - script to decode Zebrocy downloader hex strings 2 | # Takahiro Haruyama (@cci_forensics) 3 | 4 | # Note: the script was used to decode and AES-decrypt C2 traffic data generated by Zebrocy payload 5 | # I've not seen Zebrocy payload lately (2019/1Q), so commented out the code 6 | 7 | import argparse, base64, re 8 | from Crypto.Cipher import AES 9 | from struct import * 10 | 11 | g_debug = False 12 | g_delimiter_post = ':' 13 | g_delimiter_conf = '\r\n' 14 | g_AES_KEY_SIZE = 38 15 | #g_pat_hexascii = re.compile(r'[0-9A-F]{6,}') 16 | g_pat_hexascii = re.compile(r'[0-9A-F#\-=@%$]{6,}') # downloader type1 (Delphi) 17 | g_pat_hexascii_go = re.compile(r'(?:[2-7][0-9A-F]){2,}') # downloader type1 (Go) 18 | g_pat_hexunicode = re.compile(ur'(?:[0-9A-F][\x00]){2,}') # downloader type2 (Delphi) 19 | #g_pat_ascii = re.compile(r'[\x20-\x7E]{3,}') 20 | g_pat_hexasciidummy = re.compile(r'[0-9A-Fa-z]{76,150}') # hexascii with dummy small alphabet for payload v10.3 21 | g_MAX_HEXTEXT_SIZE = 0x200 22 | 23 | g_aes_key = 'DUMMYDUMMYDUMMYDUMMYDUMMYDUMMYDUMMYDUMMY' 24 | 25 | def info(msg): 26 | print "[*] {}".format(msg) 27 | 28 | def success(msg): 29 | print "[+] {}".format(msg) 30 | 31 | def error(msg): 32 | print "[!] {}".format(msg) 33 | 34 | def dprint(msg): 35 | if g_debug: 36 | print "[DEBUG] {}".format(msg) 37 | 38 | def decode(buf, adjust): 39 | newbuf = [] 40 | for i in range(0, len(buf), 2): 41 | if buf[i] and buf[i+1]: 42 | newbuf.append(chr(int(buf[i] + buf[i+1], 16) + adjust)) 43 | return "".join(newbuf) 44 | 45 | def extract_ascii(pat, data): 46 | for match in pat.finditer(data): 47 | yield match.group().decode("ascii"), match.start() 48 | 49 | def extract_unicode(pat, data): 50 | for match in pat.finditer(data): 51 | yield match.group().decode("utf-16le"), match.start() 52 | 53 | def extract_hexkey(s): 54 | hexkey = [x for x in s if ord(x) < ord('Z')] 55 | return ''.join(hexkey) 56 | 57 | def decrypt_hextext(hexenc, aes=None, adjust=0): 58 | try: 59 | hexdec = decode(hexenc, adjust) 60 | except (ValueError, IndexError): 61 | return '' 62 | dprint('hextext to bin: {}'.format(repr(hexdec))) 63 | 64 | if aes and len(hexdec) > 8 and unpack(" g_MAX_HEXTEXT_SIZE and plain == '': 153 | dprint('{:#x}: possible divided config block'.format(p)) 154 | stored += s 155 | plain = decrypt_hextext(stored, aes) 156 | if plain != '': 157 | stored = '' 158 | if args.choose and len(plain) == g_AES_KEY_SIZE: 159 | success('possible AES key acquired: {}'.format(plain)) 160 | aes = AES.new(plain[:0x20], AES.MODE_ECB) 161 | if g_pat_hexascii.match(plain) and len(plain) % 2 == 0: 162 | parse(plain) 163 | ''' 164 | 165 | info('done') 166 | 167 | if __name__ == '__main__': 168 | main() 169 | -------------------------------------------------------------------------------- /remediation/MS-ADV200006/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability 2 | 3 | ## References 4 | [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006) 5 | 6 | ## Recommendation 7 | 8 | CB Recommends following Microsoft's mitigations to disable ATMFT on Windows 8.1 9 | and below using either the rename or registry method provided by Microsoft. 10 | 11 | ## Summary 12 | 13 | Microsoft published [Security Advisory 14 | ADV200006](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006) 15 | on 3/24/2020 describing a zero-day remote-code execution vulnerability using the 16 | Adobe Type Manager Library. Microsoft described "limited targeted Windows 7 17 | based attacks." 18 | 19 | The Adobe library is a native implementation of Adobe Type Manager within Windows, added in Windows 2000/XP. [1](#footnote1) 20 | 21 | From the Microsoft Security advisory: 22 | 23 | > "Two remote code execution vulnerabilities exist in Microsoft Windows when the 24 | > Windows Adobe Type Manager Library improperly handles a specially-crafted 25 | > multi-master font - Adobe Type 1 PostScript format. There are multiple ways an 26 | > attacker could exploit the vulnerability, such as convincing a user to open a 27 | > specially crafted document or viewing it in the Windows Preview pane." 28 | 29 | > "Please Note: The threat is low for those systems running Windows 10 due to 30 | > mitigations that were put in place with the first version released in 2015." 31 | 32 | Microsoft reported "...limited targeted Windows 7 based attacks.." and "...is 33 | not aware of any attacks against the Windows 10 platform." 34 | 35 | Microsoft considers the threat to be low for Windows 10 systems due to mitigations added in 2015: 36 | 37 | > The possibility of remote code execution is negligible and elevation of 38 | > privilege is not possible. We do not recommend that IT administrators running 39 | > Windows 10 implement the workarounds described below." 40 | 41 | ## Detections 42 | 43 | Reliable signatures specific to this threat are not yet available. Some 44 | customers have considered queries related to `modload:atmfd.dll`, however this 45 | DLL is loaded by the `ntoskrnl.exe` on boot, and the exclusions required to 46 | prevent false positives from these queries may also cause false negatives. Other 47 | VMWare Carbon Black Advanced Threats and other signatures are intended to 48 | broadly cover the attack process, in order to stop an attack at multiple points 49 | in the attackers kill chain. In this case, Carbon Black recommends close 50 | monitoring of post-exploitation signatures for any Windows systems before 51 | Windows 10. 52 | 53 | ## Mitigations 54 | 55 | Microsoft provided three recommended mitigations, with specifics available at the Microsoft 56 | Security Advisory 57 | [ADV200006](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006): 58 | 59 | 60 | * Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class 61 | * Disable the Preview Pane and Details Pane in Windows Explorer 62 | * Disable the WebClient service 63 | 64 | * Only works on older (before Windows 10) but completely mitigates the issue 65 | though can introduce usability issues in rare cases 66 | * Rename `ATMFD.DLL` 67 | 68 | > "Please note: ATMFD.DLL is not present in Windows 10 installations starting 69 | > with Windows 10, version 1709. Newer versions do not have this DLL." 70 | 71 | Microsoft does not recommend these mitigations on Windows 10 systems _currently supported by Microsoft_. 72 | 73 | CB Recommends following Microsoft's mitigations to disable ATMFT on Windows 8.1 74 | and below using either the rename or registry method provided by Microsoft. 75 | 76 | ### Mitigation Impact 77 | 78 | From Microsoft 79 | 80 | > "Applications that rely on embedded font technology will not display 81 | > properly. Disabling ATMFD.DLL could cause certain applications to stop working 82 | > properly if they use OpenType fonts. Microsoft Windows does not release any 83 | > OpenType fonts natively. However, third-party applications could install them 84 | > and they could be affected by this change." 85 | 86 | 87 | ### Identification and Mitigation of affected systems 88 | 89 | VMWare Carbon Black TAU has published a PowerShell script to detect and mitigate 90 | this vulnerability in our public 91 | ‘[tau-tools](https://github.com/carbonblack/tau-tools)’ GitHub repository: 92 | [ADV200006](https://github.com/carbonblack/tau-tools/tree/master/remediation/MS-ADV200006). 93 | This script will report and identify if the DisableATMFD registry key is set and optionally 94 | set mitigating keys. It can be leveraged with any endpoint configuration management tools 95 | that support PowerShell along with LiveResponse. 96 | 97 | ## Description 98 | 99 | This detects and mitigates if systems are vulnerable to ADV200006: Type 1 Font Parsing Remote Code Execution Vulnerability 100 | 101 | This script will identify if a machine prior to Windows 10 has the Adobe Type 102 | Manager Library enabled by querying the registry, and optionally set mitigating 103 | registry keys to disable the Adobe Type Manager Library. 104 | 105 | If `[environment]::OSVersion.Version.Major` is not 10, then it will check if 106 | `HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DisableATMFD` is set 107 | to 1, to see if the system has been mitigated. If the host system is vulnerable 108 | and -mitigate is used it will set DisableATMFD to 1. 109 | 110 | ## Instructions 111 | 112 | Usage: 113 | 114 | Checking if device is vulnerable to ADV200006 115 | ```Powershell 116 | MS-ADV200006.ps1 117 | ``` 118 | 119 | Mitigating systems that are vulnerable to ADV200006 120 | ```Powershell 121 | MS-ADV200006.ps1 -mitigate 122 | ``` 123 | 124 | ## Example 125 | 126 | ```Powershell 127 | PS C:\> .\MS-ADV200006.ps1 128 | >>> KB NOT YET RELEASED 129 | ------------------- 130 | -- Patch Missing -- 131 | ------------------- 132 | -------------------------------------- 133 | -----------Vulnerable----------------- 134 | -------------------------------------- 135 | -- mitigate with -mitigate argument -- 136 | -------------------------------------- 137 | 138 | PS C:\> .\MS-ADV200006.ps1 -mitigate 139 | >>> KB NOT YET RELEASED 140 | ------------------- 141 | -- Patch Missing -- 142 | ------------------- 143 | ---------------------- 144 | -- System Mitigated -- 145 | ---------------------- 146 | 147 | PS C:\> .\MS-ADV200006.ps1 148 | >>> KB NOT YET RELEASED 149 | ------------------- 150 | -- Patch Missing -- 151 | ------------------- 152 | ---------------------- 153 | -- System Mitigated -- 154 | ---------------------- 155 | 156 | PS C:\> .\MS-ADV200006.ps1 -backout 157 | >>> KB NOT YET RELEASED 158 | --------------------------------------- 159 | -- Mitigation removed -- 160 | --------------------------------------- 161 | ------------------- 162 | -- Patch Missing -- 163 | ------------------- 164 | -------------------------------------- 165 | -----------Vulnerable----------------- 166 | -------------------------------------- 167 | -- mitigate with -mitigate argument -- 168 | -------------------------------------- 169 | 170 | PS C:\> 171 | ``` 172 | 173 | 174 | ## Live Response Wrapper 175 | 176 | The `MS-ADV200006.py` script is a wrapper for executing the `MS-ADV200006.ps1` script remotely via the VMware Carbon Black Cloud API. 177 | 178 | Usage: 179 | ```PowerShell 180 | MS-ADV200006.py [-h] [-m MACHINENAME] [-c] [-p] [-o ORGPROFILE] 181 | 182 | optional arguments: 183 | -h, --help show this help message and exit 184 | -m MACHINENAME, --machinename MACHINENAME 185 | machinename to run host forensics recon on 186 | -c, --check Check the system for the vulnerable SMBv3 187 | Configuration 188 | -p, --patch Mitigate the vulnerable system SMBv3 configuration 189 | by disabling compression 190 | -o ORGPROFILE, --orgprofile ORGPROFILE 191 | Select your cbapi credential profile 192 | ``` 193 | 194 | ## Example 195 | 196 | Checking for ADV200006 vulnerability: 197 | ```PowerShell 198 | $ python3 MS-ADV200006.py -m -c -o 199 | ``` 200 | 201 | Mitigating ADV200006 vulnerability: 202 | ```PowerShell 203 | $ python3 MS-ADV200006.py -m -p -o 204 | ``` 205 | 206 | This script is compatible with the full VMware Carbon Black Cloud API and requires the python cbapi 207 | 208 | 209 | 1: https://twitter.com/rosyna/status/1242156545346916352 210 | -------------------------------------------------------------------------------- /threat_hunting/png_extract/png_extract.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {54038B35-6E2F-492D-AD75-F42CBBCF6A9C} 23 | Win32Proj 24 | png_extract 25 | 8.1 26 | 27 | 28 | 29 | Application 30 | true 31 | v140 32 | Unicode 33 | 34 | 35 | Application 36 | false 37 | v140 38 | true 39 | Unicode 40 | 41 | 42 | Application 43 | true 44 | v140 45 | Unicode 46 | 47 | 48 | Application 49 | false 50 | v140 51 | true 52 | Unicode 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | true 74 | 75 | 76 | true 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | 86 | Use 87 | Level3 88 | Disabled 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Use 100 | Level3 101 | Disabled 102 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 103 | true 104 | 105 | 106 | Console 107 | true 108 | 109 | 110 | 111 | 112 | Level3 113 | Use 114 | MaxSpeed 115 | true 116 | true 117 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | true 124 | true 125 | 126 | 127 | 128 | 129 | Level3 130 | Use 131 | MaxSpeed 132 | true 133 | true 134 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 135 | true 136 | MultiThreaded 137 | 138 | 139 | Console 140 | true 141 | true 142 | true 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | Create 156 | Create 157 | Create 158 | Create 159 | 160 | 161 | 162 | 163 | 164 | -------------------------------------------------------------------------------- /threat_hunting/IOCs/IOCs_2019_Q3_Sodinokibi-Hashes.csv: -------------------------------------------------------------------------------- 1 | Description,SHA256 2 | Exectable,00d015edbfb34e16b5b4086d25174ae435ca86d8cd267e0ed9b32db7d1d8ae2f 3 | Exectable,046a416f4a41da0874c49c2f279ecc5d27f196e8a9086f9f250830c570113905 4 | Exectable,064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2 5 | Exectable,069d993c71e2c78fd73fdef9ce4ced7fe0ce1b49f458a3ec3fae53208d382f3c 6 | Exectable,0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c 7 | Exectable,08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63 8 | Exectable,0ae199c13e033f6e63a388151e33c00ec374e1716a40e4bc1769b9ca559852ca 9 | Exectable,0aebc3c9dd12779c489012bf45a19310576ec0e767ac67d1c455839302465afa 10 | Exectable,0e375ab01a08cd6827ce399f43cbf35b3495eb4ae45fdbad18b812513b68af94 11 | Exectable,12096093901347150ac72d6c9c1cbacf4de7d6a51ef1ab4cddc06f85311dd8ab 12 | Exectable,139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548 13 | Exectable,139f7532810e92346ff3b103064a26e460deb05005104cc30f9f4e2b3eab595e 14 | Exectable,1501f261a66eefce47dc47cb8a426107c4b694a41b5b9fd000d0ad2ea76d8e34 15 | Exectable,151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6 16 | Exectable,17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467 17 | Exectable,17ffd90d20cbd49c4e0d65a484eeae65a107d5bad9582afc51c4ead8bbc147e1 18 | Exectable,1937098609fbbda1b470811a7ffe5fa044058655722d84bd029050d54f2b1496 19 | Exectable,1e1653773e590ea0cfda3b5e772b1f03c9a08a3cd595061100e2f2c50a3053a5 20 | Exectable,1f7b15f6cf07c5943ce8ab5bfd0700e4919808fca4260ffd2a509100d45fadaf 21 | Exectable,200d374121201b711c98b5bb778ab8ca46d334e06f2fc820a2ea7e70c251095e 22 | Exectable,207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c 23 | Exectable,2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5 24 | Exectable,245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6 25 | Exectable,2a55b2836ddb2eb3afe78e360d3e59de661877939f62a47fc9e72186fc9b69c9 26 | Exectable,2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c 27 | Exectable,2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507 28 | Exectable,30980f00bc1bcba4e2ea3e32ebd7feb759c87fa2593a6164bccddfcb26846933 29 | Exectable,30d11e193a44c2a9807b073854de1370977ae7c3e99b0243f83d34b261eb2b9e 30 | Exectable,32a72f3bc54b65651ec263c11e86738299d172043a9cdd146001780501c75078 31 | Exectable,34ba7e6dd88471c7aec1612270abd57d445030906375722a78a9e73ce6097fdd 32 | Exectable,34f01b17b678fc4babcef41731d708cb16bc33a284d87b8675605d0bafdeb20c 33 | Exectable,36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd 34 | Exectable,39c70f85e6fe3000cd7383e324b705b6a709171e07daada3e2d56b2004d33b53 35 | Exectable,3d96d4d5e89b643897cad61778f54f8741338a3f3f9acceab965c417b35a74bd 36 | Exectable,41050ea37693db3f76887d9fbcc6b2eefd4357ab7f49e3cccf682b5af49a68bc 37 | Exectable,4748e9729f2e0b1bb151950cdaa75d51ad74612a1c12ff124a492a9a67c2f49b 38 | Exectable,4d3fb0e2d5ba3f2eecbb2ac62a0a73581c57a2be39246d861657f21fe2d2c6e6 39 | Exectable,4e1317c219c4bf78403e8e8d78c694598996236f629b96c904ae02fa05764a10 40 | Exectable,507f7b533834cd9445983a89766cb35c6f71857658d7f7b028d4ffbc941cfacc 41 | Exectable,509c851e9914e818e1b925c9b60126b40b66b0b57fc3c7a3ecc46d28dcff5527 42 | Exectable,51923ec74555541e3567f87bdc189934003b9d32403840cbc1ff5f8b2dd4df05 43 | Exectable,51f7bcc2da2c7a0704f1f537c42279b0fa3d3a72808bc8938880de88b21945b9 44 | Exectable,564d9dd23e81bb35ef2c6d8ff8976c9cd88a45291430b3758ed475e5d238c5c7 45 | Exectable,58cffa69e8b4f26209da073a6b8cbb6ede9b2a3f7646d08c91b11df729a6b9aa 46 | Exectable,5928db8b7b1714ead51392ad809242cd5a158defefe5309f3ae0238c20a500ab 47 | Exectable,5c959580adf1fbdfea872ece4d29ee6a8319a88273a9923988ef8be4197833bd 48 | Exectable,5cc16295598bdc30829a906f3187a60d3c52e7a939ecd2b4dbb4e810ebc281f5 49 | Exectable,5fe8e804cc0e7d211019bf37dbb18e4a00af24be11cc9407fac6d648c01716fb 50 | Exectable,61ea9401c86f28db49a766b180b1b43335da1aadb9e8cff5441670d05ee8a0b6 51 | Exectable,6727edbb5d6abee908851a8c5fd7b4aca6d664634fdcdfc15e04502b960abbc5 52 | Exectable,6cd6c3ab26dbc9e0725d4db991895f4b48ae3c6b3d3c67d98dadcac81c7cdc5c 53 | Exectable,6d642157d0c3fbb0bf52c8920d5f06b40b907558645d53f8c18c48746d17bdd4 54 | Exectable,6eb8e811ba663ffee249a3debc32646070d3662c34cc99a5f580c750c46c71ed 55 | Exectable,6edef9c0343c53ef394251a1bf0a890bfc0c51aeb283d0a4a4b15c5294ef484d 56 | Exectable,6efd9aae5e112418bd43ab48ec4a1fce191c7503fcd11fdb95e89ad0217adb7a 57 | Exectable,6f286e8322e4799f8afe0f431dec82e955f193e68e81d1ec0a94f7597840317c 58 | Exectable,7047df7a1efe3c1cecc26445b59ac74fd912c9e77ee01f74d653dd20d5edbd0d 59 | Exectable,754c6c376b1e322e03fecaeac592971cc2a07f614d71529939a46046d1d87695 60 | Exectable,794da0ca9dd97421afd80b3f9aaf6e25dcb969adc296825a439feac58a77025a 61 | Exectable,7a512c1dca5da7cb27d59e002a3aaa42073bfec1af23ad8cf73f967617a2a9dc 62 | Exectable,7bafd5de1b6724962ab920f71031978a101055f061ae3cc21db8bb9fa64c5829 63 | Exectable,7d0a7b508d1ccc7ce49b234a25bff26c487a85ec7e81ddf6325e8e301516ceae 64 | Exectable,7e959a5f638fa02c0c29d21e3076c987a5a9e1aaa6024c3a47167f1398387f44 65 | Exectable,7ea8dd20165e86544214bd59b7afc09872aac6dacd41c5c1683c3cb86d88b9f4 66 | Exectable,80bbe933cc68fd5837b0ba84f17b9f796918125c52321d3d504468e837239765 67 | Exectable,834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2 68 | Exectable,84f909f2a044110a830148d98d47351342a2f1c9d5f75e6b8801ff34c9e9fa98 69 | Exectable,85d76be0e7a1f112d8b7e221f5f95cf6a665338f96ceaea1fe495c7903ab4a61 70 | Exectable,861bc212241bcac9f8095c8de1b180b398057cbb2d37c9220086ffaf24ba9e08 71 | Exectable,8704b9baefe5060c0622b14a3930b8901a0cc5ce53f9395b1f2cc3efd7d5bd69 72 | Exectable,87883ac1ef972338d4e632f4bca5ad222f21d95f77dfecace09f30feba37d173 73 | Exectable,89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4 74 | Exectable,8ab99ac368b338310cb1e130d9971aedcdd3b79e5c7143e8b4b0a8ce894f9c78 75 | Exectable,8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12 76 | Exectable,8c8481c65f40fb55fcd8aa077f3d20702f366c365e276ab7c3fa03a98310a277 77 | Exectable,90c9b6460c240177644d028458874167fedf7ca459381dde17d44446bb9ba501 78 | Exectable,917f1feea1242d962205ba1827d036f55482e83ac4008a84c518479a3364d4e5 79 | Exectable,938248b6428d12e57d4bcad2c36b369599b5eb7687f16c0998ca967d9c8e228c 80 | Exectable,9539c6b525e9ea6f0d84979a7285cdba416bbc134c0d6985fdf5d86607b30383 81 | Exectable,95f29f45c33d66b22e71b0fc0c1c03f7415f08b30dfc9bea0902c19d29a0b137 82 | Exectable,963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e 83 | Exectable,97612c95aa764cb2a4da61dd6c25192eb2dbc8d8d75d9d0fe57fa0101157e28f 84 | Exectable,984e8a13d4ad8e1dca468337ecba4f221688ef6b96e9d1238e5c1bc92e4dc3b7 85 | Exectable,9a995d6a6a6764632e7de12e48462b352c04d81d1cbf30920ffc55f9b0ad8794 86 | Exectable,9e31d426701cf1e9ca72f71e88a3f50978ab2d67088e96f1c3b954df1e673bdf 87 | Exectable,9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae 88 | Exectable,9fed4aec732e2b564f0e63f37893b3c00deab31580580eb3045541a05cae8766 89 | Exectable,a1b4c2b6f0311b510119b8b7d5394cb63ee5a983588462c1e798eb9f3471687b 90 | Exectable,a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a 91 | Exectable,a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e 92 | Exectable,a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762 93 | Exectable,a6c1dba2085634d0a104551cbdb41f6652dc8a7aba9a40be094e971e310f38a1 94 | Exectable,a6e3d32365196d053a488d68d00adab68f4953956fdb1fe0cc5915a0c4848e14 95 | Exectable,a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb 96 | Exectable,a8928d557eccde515b1acd7e326d073684690d4bd7538b6842f0f4c48120d984 97 | Exectable,a8d1d6cf7e591719401df17979782244d70dbf59823c889f5329e1f2bcfca1e1 98 | Exectable,ac3e29e3c35138e857bffbc8cf5f8414b71c5694e7e13abe59620d2bde408887 99 | Exectable,add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310 100 | Exectable,b202927e24727ac2677f9635dc7bcfab8e812b3f74f85d40f198642d182d671c 101 | Exectable,b4436606c93ae464876a0e229342503cf754d9951d61d9e2e3fcbdf680fdffc4 102 | Exectable,b6a2162e86dbf9d501555377a6262ba63f5d1ff87d47a284ba3e8a9d7ef26cc9 103 | Exectable,b6e27e49d83f82f0feaa1b41d7b8906b9237e08968bb2cd5ae6f4f97b4c9f5c8 104 | Exectable,bbca6188aac86332e90673e663f91f3097a63153835b4f9d058e90baf075012a 105 | Exectable,bd4bcc8cb3e33c018a4d9037bf5cf9bd6f7ce0a5c4b862e94c098366004563d4 106 | Exectable,c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757 107 | Exectable,c6d72dbc8c2ca62471a786a4a00e771d8683a7c7429d2c67f059315cd6ad443d 108 | Exectable,c73116292f7373e4271d58b48fbc64fa031c8c2c5da8745a64e86d4625ff54ac 109 | Exectable,d011469083d12ad3d94925dbcf113136039a5b53d70e0f99ff04267a4bf80b6d 110 | Exectable,d4e89180e559721e6bcd9c03549d540282c3774bdd6ae61a61d57a23c10fc299 111 | Exectable,de0b6c17c7c921fc515bbdb7ed2fdc1f1069860cfe2b611c105201a916d0e87d 112 | Exectable,e281347d6faf8fa17e9bcd79d0f815187506c89e8bca9ffae78170e31ff07438 113 | Exectable,e5a9e0e9eaa33ce2ac37af1894986b5378267bd98148f2fdb762ef627dded3f5 114 | Exectable,e630185053ee119ac973aa341c74fb1a9006b7f1a58e9f4c47efb1da9dd7bc0c 115 | Exectable,e713e3f1e74df404568466e88dbfa1be33c917472830cdb54ce803dfa8ec3ff0 116 | Exectable,e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0 117 | Exectable,eb486e276b6fb580c58508d71d303b0535970ac243021eeede55bcd253f114cf 118 | Exectable,f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc 119 | Exectable,f195fb77843e110ff91656c09d277563ee32c2d36388e556f25328bf0aac80be 120 | Exectable,f1bc14943c240f59b8d3ad4d6e3ad5568f896f80e79697e690612c5602fa653d 121 | Exectable,f92933369385d3e441642b60857a102b91738351630a10bb4194cb1ed65793b7 122 | Exectable,fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e 123 | Exectable,fdddbbc09972a8da879209f8b45796b4343ffd8c74ae8e56bfe78aebc710777b 124 | Exectable,ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5 -------------------------------------------------------------------------------- /ThreatHunter-Watchlist-Manager/watchlist-manager.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # ThreatHunter Watchlist Creator 4 | # Copyright VMware 2019 5 | # November 2019 6 | # Version 0.1 7 | # gfoss [at] carbonblack . com 8 | # 9 | # usage: watchlist-manager.py [-h] [-o ORGKEY] [-p ORGPROFILE] [-w WATCHLIST_NAME] [-c CBR_QUERY] [-d DELETE_QUERY] 10 | # 11 | # Parse ThreatHunter YAMLs and Create / Update Watchlists 12 | # 13 | # optional arguments: 14 | # -h, --help show this help message and exit 15 | # -p ORGPROFILE, --profile ORGPROFILE 16 | # Select your cbapi credential profile 17 | # -w WATCHLIST_NAME, --watchlist WATCHLIST_NAME 18 | # Watchlist to create. Options: [customizable] 19 | # -c CBR_QUERY, --convert CBR_QUERY 20 | # Convert CB Response query to ThreatHunter format. Eg: (-c ) 21 | # -d DELETE_QUERY, --delete DELETE_QUERY 22 | # Delete a watchlist via query. Eg: (-d ) 23 | 24 | 25 | import os, sys, argparse, requests, json, yaml, time, pprint 26 | from cbapi.psc.threathunter import * 27 | 28 | # Import logging module to see the requests to the REST API 29 | # import logging 30 | # logging.basicConfig() 31 | # logging.getLogger("cbapi").setLevel(logging.DEBUG) 32 | 33 | 34 | # All Watchlists correspond to their local directory and must be specified below to be included in updates 35 | def manage_watchlists(parser,args,watchlist_name): 36 | 37 | global yml_path 38 | global feed_name 39 | global provider_url 40 | global feed_summary 41 | global feed_category 42 | global feed_id_name 43 | 44 | # ==================================================================================================== 45 | # Custom Watchlist 46 | # ==================================================================================================== 47 | if watchlist_name == "custom": 48 | yml_path = './watchlists/example/' 49 | feed_name = "Custom Watchlist" 50 | provider_url = "https://carbonblack.com" 51 | feed_summary = "Custom Threat Detections" 52 | feed_category = "Custom" 53 | feed_id_name = "custom_report" 54 | 55 | # ==================================================================================================== 56 | # Add other watchlists below via elif... 57 | # ==================================================================================================== 58 | else: 59 | print(' [ ! ] Error: Watchlist (-w) must be defined...') 60 | print(' Available option is [custom]') 61 | 62 | 63 | def threaty_threats(parser,args,orgprofile,watchlist_name): 64 | 65 | # This is the 'name' of your credential in the credential file. Set with -o at runtime. 66 | th = CbThreatHunterAPI(profile="{}".format(orgprofile)) 67 | orgkey = th.credentials.org_key 68 | 69 | # Create JSON Framework 70 | json_data = {} 71 | i = 0 72 | json_data['feedinfo'] = {"name": feed_name, "provider_url": provider_url, "summary": feed_summary, "category": feed_category} 73 | json_data['reports'] = [] 74 | yml_extensions = (".yml", ".yaml") 75 | print('') 76 | print(' [ * ] Parsing YAMLS and creating ({}) Watchlist'.format(feed_name)) 77 | 78 | # Parse the YAMLs and populate JSON 79 | for root, dirs, yam in os.walk(os.path.abspath(yml_path)): 80 | for yamyam in yam: 81 | if yamyam.endswith(yml_extensions): 82 | i+=1 83 | filename = os.path.join(root, yamyam) 84 | #print(filename) 85 | #yamyams = open(yml_path+'/AMSI-WMI-Event-Consumer.yml', 'r') 86 | yamyams = open(filename, 'r') 87 | try: 88 | much_wow = yaml.load(yamyams) 89 | except: 90 | print("Oh no - something is wrong... Check ({})!".format(yamyams)) 91 | 92 | # Define the Threaty Threats 93 | author = much_wow['author'] 94 | detection = much_wow['detection'] 95 | industry = much_wow['industry'] 96 | link = much_wow['link'] 97 | notes = much_wow['notes'] 98 | tags = much_wow['tags'] 99 | rule_type = much_wow['type'] 100 | description = much_wow['description'] 101 | false_positives = much_wow['false positives'] 102 | fqp_queries = much_wow['queries'] 103 | attack_tests = much_wow['queries']['attack test(s)'] 104 | comments = much_wow['queries']['comment'] 105 | th_guid = much_wow['queries']['guid'] 106 | query = much_wow['queries']['query'] 107 | rule_title = much_wow['queries']['title'] 108 | supported_platforms = much_wow['supported platform(s)'] 109 | threat_score = much_wow['threat'] 110 | query_id = much_wow['query id'] 111 | 112 | # Create JSON 113 | json_data['reports'] += [{"timestamp": int(time.time()), 114 | "id": feed_id_name + str(i), 115 | "link": link, 116 | "title": rule_title, 117 | "description": description, 118 | "severity": int(threat_score), 119 | "tags": tags, 120 | "iocs_v2": [ 121 | { 122 | "id": query_id, 123 | "match_type": "query", 124 | "values": [query], 125 | "link": provider_url 126 | } 127 | ] 128 | }] 129 | 130 | # Push new feeds as JSON object 131 | print(" [ * ] Updating Threat Feed: {}".format(feed_id_name)) 132 | #fh = open('data.json', 'w') 133 | #fh.write(json.dumps(json_data)) 134 | ret = th.post_object("/threathunter/feedmgr/v1/feed", json_data) 135 | #pprint.pprint(ret.json()) 136 | feed_access = ret.json()["access"] 137 | feed_id = ret.json()["id"] 138 | 139 | # We have to wait a few seconds for the feed to fully update 140 | time.sleep( 5 ) 141 | 142 | # Yay - user feedback 143 | print(' - Feed Name: {}'.format(feed_name)) 144 | print(' - Access: {}'.format(feed_access)) 145 | print(' - Category: {}'.format(feed_category)) 146 | print(' - Summary: {}'.format(feed_summary)) 147 | print(' - Feed Count: {}'.format(i)) 148 | print('') 149 | 150 | # Create a new watchlist and populate this with our new feeds 151 | ret = th.post_object("/threathunter/watchlistmgr/v3/orgs/{}/watchlists".format(orgkey), { 152 | "name": "{}".format(feed_name), 153 | "description": "{}".format(feed_summary), 154 | "id": "{}".format(feed_id), 155 | "tags_enabled": True, 156 | "alerts_enabled": True, 157 | "classifier": {'key': 'feed_id', 'value': feed_id}} 158 | ) 159 | #pprint.pprint(ret.json()) 160 | watchlist_id = ret.json()["id"] 161 | alerts_enabled = ret.json()["alerts_enabled"] 162 | create_timestamp = ret.json()["create_timestamp"] 163 | print(" [ * ] Successfully Created a new Watchlist - Now Adding Queries...") 164 | print(' - Alerts Enabled: {}'.format(alerts_enabled)) 165 | print(' - Timestamp: {}'.format(create_timestamp)) 166 | print(' - Watchlist ID: {}'.format(watchlist_id)) 167 | print('') 168 | 169 | # Uncomment to validate that the feed was posted 170 | ret = th.get_object("/threathunter/watchlistmgr/v3/orgs/{}/watchlists/{}".format(orgkey,watchlist_id)) 171 | #pprint.pprint(ret) 172 | 173 | 174 | def convert_query(args,parser,cbr_query): 175 | th = CbThreatHunterAPI(profile="{}".format(args.orgprofile)) 176 | 177 | # Convert the query 178 | ret = th.post_object('/threathunter/feedmgr/v2/query/translate', 179 | { 180 | 'query':'{}'.format(cbr_query) 181 | }) 182 | results = ret.json() 183 | print('') 184 | print(results['query']) 185 | print('') 186 | 187 | 188 | def nuke(args,parser,feed_name): 189 | th = CbThreatHunterAPI(profile="{}".format(args.orgprofile)) 190 | orgkey = th.credentials.org_key 191 | 192 | # Deleting Feed Data 193 | print('') 194 | print('Removing WATCHLISTS based on watchlist name: {}'.format(feed_name)) 195 | ret = th.get_object("/threathunter/watchlistmgr/v3/orgs/{}/watchlists".format(orgkey)) 196 | for f in ret["results"]: 197 | #print(f["name"]) 198 | if feed_name in f["name"]: 199 | print('Found Watchlist. Will Remove: {}'.format(feed_name)) 200 | watchlist_id = f["id"] 201 | feed_id = f["classifier"]["value"] 202 | th.delete_object("/threathunter/watchlistmgr/v3/orgs/{}/watchlists/{}".format(orgkey,watchlist_id)) 203 | print('Cleaning up the corresponding feed associated with the above watchlist: {}'.format(feed_id)) 204 | th.delete_object("/threathunter/feedmgr/v2/orgs/{}/feeds/{}".format(orgkey,feed_id)) 205 | else: 206 | print('Watchlists did not match cleanup: {}'.format(f["name"])) 207 | 208 | 209 | def main(): 210 | parser = argparse.ArgumentParser(description = 'Parse ThreatHunter YAMLs and Create / Update Watchlists') 211 | parser.add_argument('-p', '--profile', help = 'Select your cbapi credential profile', dest = 'orgprofile') 212 | parser.add_argument('-w', '--watchlist', help = 'Watchlist to create. Options: [AMSI, AdvancedThreats]', dest = 'watchlist_name', default = 'AMSI') 213 | parser.add_argument('-c', '--convert', help = 'Convert CB Response query to ThreatHunter format. Eg: (-c )', dest = 'cbr_query') 214 | parser.add_argument('-d', '--delete', help = 'Delete a watchlist via query. Eg: (-d )', dest = 'delete_query') 215 | args = parser.parse_args() 216 | 217 | if args.cbr_query: 218 | convert_query(args,parser,args.cbr_query) 219 | elif args.delete_query: 220 | manage_watchlists(args,parser,args.delete_query) 221 | nuke(args,parser,feed_name) 222 | elif args.orgprofile: 223 | if args.watchlist_name: 224 | manage_watchlists(args,parser,args.watchlist_name) 225 | threaty_threats(args,parser,args.orgprofile,args.watchlist_name) 226 | else: 227 | print(' [ ! ] Watchlist name is required: -w. Available options: [AMSI, AdvancedThreats]') 228 | else: 229 | print((parser.format_help())) 230 | quit() 231 | 232 | if __name__ == "__main__": 233 | main() 234 | 235 | -------------------------------------------------------------------------------- /navgen/navgen.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import json 3 | import re 4 | import time 5 | from pick import pick 6 | 7 | def get_label(option): 8 | return option.get('label') 9 | 10 | def get_product(): 11 | select = '[!] Select the product: ' 12 | options = [{'label': 'VMWare Carbon Black EDR (formerly CB Response)'}, {'label': 'VMWare Carbon Black Enterprise EDR (formerly CB ThreatHunter)'}] 13 | product = pick(options, select, indicator='*', options_map_func=get_label) 14 | if product[1] == 0: 15 | product = "edr" 16 | elif product[1] == 1: 17 | product = "eedr" 18 | else: 19 | return None 20 | 21 | return product 22 | 23 | def get_auth(): 24 | """this will ask for auth info and return it""" 25 | 26 | full_url = input("[!] Here, enter the full url of your instance. Examples: \n\thttps://bugcrowd.my.carbonblack.io\n\thttps://defense-prod05.conferdeploy.net\n\n[*] > ") 27 | if "https://" not in full_url: 28 | full_url = "https://" + full_url 29 | 30 | api_key = input("[*] Enter your API key/token: > ") 31 | 32 | return full_url, api_key 33 | 34 | 35 | def download_edr_reports(url, api_key): 36 | """ 37 | This will download threat reports for following feeds: 38 | attackframework 39 | sans 40 | Bit9AdvancedThreats 41 | Bit9SuspiciousIndicators 42 | Bit9EndpointVisibility 43 | CbCommunity 44 | Bit9EarlyAccess 45 | and return json object 46 | """ 47 | headers = { 48 | 'Content-Type': 'application/json', 49 | 'X-Auth-Token': api_key 50 | } 51 | 52 | # this will create a full url to get total number of reports. 53 | full_url = url + "/api/v1/threat_report?cb.urlver=1&cb.fq.feed_name=attackframework&cb.fq.feed_name=bit9advancedthreats&cb.fq.feed_name=cbcommunity&cb.fq.feed_name=sans&cb.fq.feed_name=bit9endpointvisibility&cb.fq.feed_name=bit9suspiciousindicators&cb.fq.feed_name=bit9earlyaccess&sort=severity_score%20desc&rows=10&facet=false&start=0&cb.fq.is_deleted=false" 54 | try: 55 | r = requests.get(full_url, headers=headers) 56 | except: 57 | r = requests.get(full_url, headers=headers, verify=False) 58 | 59 | # store results as json 60 | data = r.json() 61 | 62 | # gets the number of total threat reports found. 63 | total_results = data['total_results'] 64 | print("There are {} total threat reports found.".format(total_results)) 65 | 66 | # we need to determine how many requests in batches of 100 we need to make to download threat reports in 67 | paginate_count = total_results // 100 + 1 68 | data = [] 69 | 70 | # depending on what pagiante_count is, we need to make this many requests to download threat report 71 | for i in range(paginate_count): 72 | full_url = url + "/api/v1/threat_report?cb.urlver=1&cb.fq.feed_name=attackframework&cb.fq.feed_name=bit9advancedthreats&cb.fq.feed_name=cbcommunity&cb.fq.feed_name=sans&cb.fq.feed_name=bit9endpointvisibility&cb.fq.feed_name=bit9suspiciousindicators&cb.fq.feed_name=bit9earlyaccess&sort=severity_score%20desc&rows=100&facet=false&start=" + str(i * 100) + "&cb.fq.is_deleted=false" 73 | try: 74 | r = requests.get(full_url, headers=headers) 75 | except: 76 | r = requests.get(full_url, headers=headers, verify=False) 77 | 78 | # append 100 batch threat report to data object 79 | data += r.json()['results'] 80 | 81 | return data 82 | 83 | 84 | def get_eedr_feed_ids(backend_url, api_key, org_key): 85 | headers = { 86 | 'Content-Type': 'application/json', 87 | 'X-Auth-Token': api_key 88 | } 89 | # this will create a full url to get total number of reports. 90 | full_url = backend_url + "/threathunter/feedmgr/v2/orgs/{}/feeds?include_public=true".format(org_key) 91 | 92 | try: 93 | r = requests.get(full_url, headers=headers) 94 | except: 95 | print("requests failed to get feed ids") 96 | data = r.json() 97 | feed_ids = [] 98 | for feed in data['results']: 99 | if feed['access'] == 'public': 100 | feed_ids.append(feed['id']) 101 | 102 | return feed_ids 103 | 104 | 105 | def download_eedr_feed_reports(backend_url, api_key, org_key, feed_id): 106 | headers = { 107 | 'Content-Type': 'application/json', 108 | 'X-Auth-Token': api_key 109 | } 110 | # this will create a full url to get total number of reports. 111 | full_url = backend_url + "/threathunter/feedmgr/v2/orgs/{}/feeds/{}".format(org_key, feed_id) 112 | 113 | r = requests.get(full_url, headers=headers) 114 | data = r.json() 115 | 116 | return data 117 | 118 | 119 | def build_navigator(): 120 | navigator = { 121 | "name": "VMWare Carbon Black MITRE ATT&CK Coverage", 122 | "version": "3.0", 123 | "description": "This layer shows techniques stored in VMWare Carbon Black Threat Intelligence feeds.", 124 | "domain": "mitre-enterprise", 125 | "legendItems": [], 126 | "techniques": [] 127 | } 128 | 129 | return navigator 130 | 131 | 132 | def generate_tid_dict(threat_reports): 133 | """this will return a dictionary with TID's as keys. Values will be a list of all threat reports for that TID""" 134 | tid_dict = {} 135 | pattern = "t\d{4}" 136 | 137 | for threat_report in threat_reports: 138 | if threat_report['tags'] != None: 139 | for tag in threat_report['tags']: 140 | if re.match(pattern, tag): 141 | if tag in tid_dict: 142 | tid_dict[tag].append(threat_report) 143 | else: 144 | tid_dict[tag] = [threat_report] 145 | 146 | return tid_dict 147 | 148 | 149 | def prepare_nav_techniques(tid, threat_report_values, product): 150 | """should accept one tid from build_navigator()... will contain list of mutiple queries.""" 151 | 152 | color = get_color(threat_report_values, product) 153 | description = get_description(threat_report_values) 154 | nav_technique = { 155 | "techniqueID": tid.upper(), 156 | "color": color, 157 | "comment": description, 158 | "enabled": True 159 | } 160 | 161 | return nav_technique 162 | 163 | 164 | def get_color(threat_report_value, product): 165 | color_dict = { 166 | 'green-high': '#00ff61', 167 | 'green-med': '#83fcb1', 168 | 'green-low': '#d6ffe5' 169 | } 170 | 171 | # this if statement supports hardcoded tids via hardcoded_tids() 172 | if type(threat_report_value) == int: 173 | severity = threat_report_value 174 | threat_report_value = [] 175 | threat_report_value.append({'severity': severity}) 176 | 177 | for threat_report in threat_report_value: 178 | if product == 'edr': 179 | severity = threat_report['severity'] / 10 180 | elif product == 'eedr': 181 | severity = threat_report['severity'] 182 | 183 | if severity >= 8: 184 | return color_dict['green-high'] 185 | elif severity >= 5: 186 | return color_dict['green-med'] 187 | elif severity >= 0: 188 | return color_dict['green-low'] 189 | 190 | 191 | def get_description(threat_report_values): 192 | number_of_reports = len(threat_report_values) 193 | comment = "There are %s queries matching this TID.\n\n" % (int(number_of_reports)) 194 | for threat_report in threat_report_values: 195 | comment += "Feed: %s\nTitle: %s\nID: %s\nDescription: %s\n\n" % ( 196 | threat_report['feed_name'], threat_report['title'], threat_report['id'], 197 | threat_report['description'].split("\n")[0]) 198 | 199 | return comment 200 | 201 | 202 | def main(): 203 | product = get_product() 204 | if product == None: 205 | print("Invalid product. Qutting.") 206 | quit(1) 207 | 208 | backend_url, api_key = get_auth() 209 | if product == 'eedr': 210 | org_key = input("[*] Enter your org key: > ") 211 | print("\nYour url is: {}".format(backend_url)) 212 | print("Your API key is: {}".format(api_key)) 213 | if product == 'eedr': 214 | print("Your org key is: {}".format(org_key)) 215 | 216 | if product == 'edr': 217 | reports = download_edr_reports(backend_url, api_key) 218 | all_reports = [] 219 | for report in reports: 220 | threat_report = {} 221 | threat_report['feed_name'] = report['feed_name'] 222 | threat_report['id'] = report['id'] 223 | threat_report['title'] = report['title'] 224 | threat_report['tags'] = report['tags'] 225 | threat_report['severity'] = report['score'] 226 | threat_report['description'] = report['description'] 227 | all_reports.append(threat_report) 228 | 229 | elif product == 'eedr': 230 | eedr_feed_ids = get_eedr_feed_ids(backend_url, api_key, org_key) 231 | all_reports = [] 232 | for feed_id in eedr_feed_ids: 233 | reports = download_eedr_feed_reports(backend_url, api_key, org_key, feed_id) 234 | feed_name = reports['feedinfo']['name'] 235 | 236 | for report in reports['reports']: 237 | threat_report = {} 238 | threat_report['feed_name'] = feed_name 239 | threat_report['id'] = report['id'] 240 | threat_report['title'] = report['title'] 241 | threat_report['tags'] = report['tags'] 242 | threat_report['severity'] = report['severity'] 243 | threat_report['description'] = report['description'] 244 | all_reports.append(threat_report) 245 | 246 | # now we have a list containing all reports... we need to identify ones with a mitre attack TID. 247 | attack_techniques = [] 248 | tid_dict = generate_tid_dict(all_reports) 249 | navigator = build_navigator() 250 | 251 | nav_techniques_list = [] 252 | for tid, threat_report_values in tid_dict.items(): 253 | nav_techniques = prepare_nav_techniques(tid, threat_report_values, product) 254 | navigator['techniques'].append(nav_techniques) 255 | 256 | # builds the navigator json 257 | navigator_json = json.dumps(navigator, indent=4, sort_keys=True) 258 | 259 | # save to disk in current working dir 260 | filename = "VMWareCBThreatIntel-{}-".format(product.upper()) + str(int(time.time())) + ".json" 261 | with open(filename, 'w') as outfile: 262 | outfile.write(navigator_json) 263 | print("\n[!] Saved MITRE Navigator json file as " + filename) 264 | print( 265 | "[!] Use this file to 'Open Existing Layer' from local file on https://mitre-attack.github.io/attack-navigator/") 266 | 267 | 268 | if __name__ == '__main__': 269 | main() 270 | -------------------------------------------------------------------------------- /malware_specific/ThiefQuest/thiefquest_decrypt.py: -------------------------------------------------------------------------------- 1 | import binascii 2 | import sys 3 | 4 | ''' 5 | Date: 2020-07-02 6 | Author: VMware Carbon Black TAU - Scott Knight 7 | Exemplar Hashes: 365a5c72f52de964b8dc134d2fc45f9c73ba045cebd9fd397b1e26fdb11bfec6, 5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b, d18daea336889f5d7c8bd16a4d6358ddb315766fa21751db7d41f0839081aee2, 06974e23a3bf303f75c754156f36f57b960f0df79a38407dfdef9a1c55bf8bff 8 | Description: Decodes encoded strings from OSX.ThiefQuest malware 9 | ''' 10 | 11 | __VERSION__ = '1.0' 12 | 13 | STR_FA = b'\x0D\x00\x00\x00\x00\x00\x00\x00\xA4\x06\xA3\x02\x9C\x0B\x4F\x00\x00\x00\x00\x00\x10\x29\xD4\x35\xB6\xD3\x5A\x63\x61\xDD\x4F\x54\x67\xCA\xFB\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' 14 | STR_KEY = 0x6B8B4567 15 | STR_FA_NEW = b'\x80\x00\x00\x00\x00\x00\x00\x00\x88\x00\xA6\x0D\x40\xBD\x5C\x00\x00\x00\x00\x00\x3B\x1B\x7F\x7E\xE5\x3E\xCA\x66\x74\xBC\x40\x5B\x76\x5D\x2D\x28\xB2\x4C\x9B\x83\x43\x06\xC1\x2D\x50\xA6\x3F\x97\x5D\xC9\xA5\xCC\x3D\x25\x50\x7D\x40\xC2\x7E\xA9\x66\x78\xF4\x72\x39\x11\x42\x06\xC3\xD5\x47\x93\x0C\x65\x1D\xE8\xE4\x76\xB7\x21\xE9\x34\x96\xD3\x35\x65\x3B\x50\xCF\x55\xA6\x24\x78\x49\x4E\xFF\x1C\x31\x35\x42\xBE\x80\xF2\x04\xEA\x02\x77\x23\x2D\xA2\x61\xBC\xC7\x90\x63\x96\x50\x29\x64\x38\x32\xF0\x59\xA9\xC2\x66\x65\x46\x6F\x1F\x03\x32\x7A\xA5\xDE\xD2\x3F\xD5\x2C\x6E\xB6\x29\xE0\x76\xC7\xE2\xC7\x36\x48\x23\x4D\x0B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' 16 | STR_KEY_NEW = 0x7D47950 17 | DESERIALIZE_KEY = b'NCUCKOO7614S' 18 | SPOT_KEY = b'H2QGjSmA' 19 | LOOKUP = b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x00\x00\x00\x00\x00\x00\x00\x0A\x0B\x0C\x0D\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F\x20\x21\x22\x23\x00\x00\x00\x00\x00\x00\x24\x25\x26\x27\x28\x29\x2A\x2B\x2C\x2D\x2E\x2F\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3A\x3B\x3C\x3D\x3E\x3F' 20 | LOOKUP2 = b'\xD9\x78\xF9\xC4\x19\xDD\xB5\xED\x28\xE9\xFD\x79\x4A\xA0\xD8\x9D\xC6\x7E\x37\x83\x2B\x76\x53\x8E\x62\x4C\x64\x88\x44\x8B\xFB\xA2\x17\x9A\x59\xF5\x87\xB3\x4F\x13\x61\x45\x6D\x8D\x09\x81\x7D\x32\xBD\xC9\x40\xEB\x86\xB7\x7B\x0B\xF0\x95\x21\x22\x5C\x6B\x4E\x82\x54\xD6\x65\x93\xCE\x60\xB2\x1C\x73\x56\x71\x14\xA7\x8C\xF1\xDC\x12\x75\xCA\x1F\x3B\xBE\xE4\xD1\x42\x3D\xD4\x30\xA3\x3C\xB6\x26\x6F\xBF\x0E\xDA\x46\x69\x07\x57\x27\xF2\xD2\x9B\xBC\x94\x43\x03\xF8\x11\x6C\xF6\x90\xEF\x3E\xE7\x06\xC3\xD5\x2F\xC8\x66\x1E\xD7\x08\xE8\xEA\xDE\x80\x52\xEE\xF7\x84\xAA\x72\xAC\x35\x4D\x6A\x2A\x96\x1A\x1D\xC0\x5A\x15\x49\x74\x4B\x9F\xD0\x5E\x04\x18\xA4\xEC\xC2\xE0\x41\x6E\x0F\x51\xCB\xCC\x24\x91\xAF\x50\xA1\xF4\x70\x39\x99\x7C\x3A\x85\x23\xB8\xB4\x7A\xFC\x02\x36\x5B\x25\x55\x97\x31\x2D\x5D\xFA\x98\xE3\x8A\x92\xAE\x05\xDF\x29\x10\x67\xC7\xBA\x8F\xD3\x00\xE6\xCF\xE1\x9E\xA8\x2C\x63\x16\x01\x3F\x58\xE2\x89\xA9\x0D\x38\x34\x1B\xAB\x33\xFF\xB0\xBB\x7F\x0C\x5F\xB9\xB1\xCD\x2E\xC5\xF3\xDB\x47\xE5\xA5\x9C\x77\x0A\xA6\x20\x68\xFE\x48\xC1\xAD' 21 | LOOKUP3 = b'\x02\x03\x05\x07\x0B\x0D\x11\x13\x17\x1D\x1F\x25\x29\x2B\x2F\x35\x3B\x3D\x43\x47\x49\x4F\x53\x59\x61\x65\x67\x6B\x6D\x71\x7F\x83' 22 | 23 | # Rotate left: 0b1001 --> 0b0011 24 | rol = lambda val, r_bits, max_bits: \ 25 | (val << r_bits%max_bits) & (2**max_bits-1) | \ 26 | ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits))) 27 | 28 | # Rotate right: 0b1001 --> 0b1100 29 | ror = lambda val, r_bits, max_bits: \ 30 | ((val & (2**max_bits-1)) >> r_bits%max_bits) | \ 31 | (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1)) 32 | 33 | def eip_key(key1, key2, key3): 34 | v6 = 1 35 | v3 = key1 % key3 36 | v5 = v3 37 | if not v3: 38 | return 0 39 | 40 | while key2: 41 | if (key2 & 1) == 1: 42 | v6 = v5 * v6 % key3 43 | key2 >>= 1 44 | v5 = v5 * v5 % key3 45 | 46 | return v6 47 | 48 | def eip_decrypt(data, key): 49 | v9 = int.from_bytes(data[0:8], byteorder='little') 50 | v13 = int.from_bytes(data[8:12], byteorder='little') 51 | v14 = int.from_bytes(data[12:20], byteorder='little') 52 | 53 | key = eip_key(v14, key, v13) 54 | 55 | v7 = 4 - v9 % 4 + v9 56 | count = v7 // 4 57 | 58 | buf = data[20:20+v7] 59 | 60 | v4 = 0 61 | output = bytearray() 62 | while v4 < count: 63 | val = int.from_bytes(buf[v4*4:v4*4 + 4], byteorder='little') 64 | val = val ^ key 65 | output += val.to_bytes(4, byteorder='little') 66 | key = rol(key, 1, 32) 67 | v4 += 1 68 | 69 | return output[0:v9] 70 | 71 | def eib_decode(input, input_len): 72 | size = input_len - 1 73 | v7 = (input_len - 1) // 6 74 | output_len = (4 * v7) - (ord(input[-1]) - 48) 75 | 76 | if output_len > input_len - 1: 77 | return '' 78 | 79 | v4 = 0 80 | output = bytearray() 81 | while v4 < v7: 82 | data = input[v4*6:v4*6+6] 83 | val = eib_unpack_i(data) 84 | output += val.to_bytes(4, byteorder='little') 85 | v4 += 1 86 | 87 | return output[0:output_len] 88 | 89 | def eib_unpack_i(data): 90 | v3 = 0 91 | 92 | for i in range(0, 6): 93 | v3 += LOOKUP[ord(data[5-i]) - 48] << (6 * i) 94 | 95 | return v3 96 | 97 | def eib_secure_decode(input, input_len, key): 98 | buf = eib_decode(input, input_len) 99 | output = tpdcrypt(key, buf, len(buf)) 100 | 101 | return output 102 | 103 | def tpdcrypt(key, input, input_len): 104 | size = input_len - 1 105 | output_len = (input_len - 1) - input[-1] 106 | 107 | v7 = 0 108 | v6 = 2 109 | output = bytearray() 110 | derived_key = bytearray(b'\x00' * 128) 111 | 112 | while v7 < size: 113 | derived_key = generate_xkey(derived_key, key, 0x400, v6) 114 | output += tp_decrypt(derived_key, input[v7:v7+8]) 115 | v7 += 8 116 | v6 += 1 117 | 118 | return output[0:output_len] 119 | 120 | def generate_xkey(derived_key, key, bits, block): 121 | # The malware uses strlen and the new key has a null byte 122 | # so we need to actually scan for a null byte 123 | #key_len = len(key) 124 | key_len = 0 125 | for i in range(0, len(key)): 126 | if key[i] == 0x00: 127 | break 128 | key_len += 1 129 | 130 | dst = bytearray(LOOKUP2[0:0x100]) 131 | 132 | if block >= 0x20: 133 | block = block & 0x1f 134 | 135 | v19 = LOOKUP3[block] 136 | 137 | for i in range(0, 256, v19): 138 | dst[i] = (dst[i] % v19 + dst[i]) % 255 139 | 140 | if key_len > 128: 141 | key = key[0:128] 142 | key_len = 128 143 | 144 | if bits is None: 145 | bits = 1024 146 | 147 | derived_key[0:key_len] = key[0:key_len] 148 | 149 | if key_len < 128: 150 | v13 = 0 151 | v16 = derived_key[key_len-1] 152 | 153 | while True: 154 | v4 = v13 155 | v13 += 1 156 | idx = (derived_key[v4] + v16) & 0xff 157 | v16 = dst[idx] 158 | v5 = key_len 159 | key_len += 1 160 | derived_key[v5] = v16 161 | 162 | if key_len >= 128: 163 | break 164 | 165 | v1 = (bits + 7) >> 3 166 | v14 = 128 - v1 167 | v17 = dst[(255 >> (-bits & 7)) & derived_key[128 - v1]] 168 | derived_key[128-v1] = v17 169 | 170 | while v14 > 0: 171 | v14 -= 1 172 | v17 = dst[(derived_key[v1+v14] ^ v17) & 0xff] 173 | derived_key[v14] = v17 174 | 175 | # NOTE: This shows in the decompilation but seems to just be setting 176 | # all the values in the derived_key to the value they already have. 177 | # Maybe just junk instructions? 178 | v15 = 63 179 | while True: 180 | derived_key[v15*2] = derived_key[v15*2] 181 | derived_key[v15*2+1] = derived_key[(v15*2) + 1] 182 | if v15 <= 0: 183 | break 184 | v15 -= 1 185 | 186 | return derived_key 187 | 188 | def tp_decrypt(key, input): 189 | output = bytearray() 190 | v9 = int.from_bytes(input[6:8], byteorder='little') 191 | v8 = int.from_bytes(input[4:6], byteorder='little') 192 | v7 = int.from_bytes(input[2:4], byteorder='little') 193 | v6 = int.from_bytes(input[0:2], byteorder='little') 194 | v5 = 15 195 | 196 | while True: 197 | v9 = v9 & 0xffff 198 | v9 = ((v9 >> 5) + (v9 << 11)) - (((v8 & v7) + (~v8 & v6)) + int.from_bytes(key[(2*(4*v5+3)):(2*(4*v5+3))+2], byteorder='little')) 199 | 200 | v8 = v8 & 0xffff 201 | v8 = ((v8 >> 3) + (v8 << 13)) - (((v7 & v6) + (~v7 & v9)) + int.from_bytes(key[(2*(4*v5+2)):(2*(4*v5+2))+2], byteorder='little')) 202 | 203 | v7 = v7 & 0xffff 204 | v7 = ((v7 >> 2) + (v7 << 14)) - (((v6 & v9) + (~v6 & v8)) + int.from_bytes(key[(2*(4*v5+1)):(2*(4*v5+1))+2], byteorder='little')) 205 | 206 | v6 = v6 & 0xffff 207 | v6 = ((v6 >> 1) + (v6 << 15)) - (((v9 & v8) + (~v9 & v7)) + int.from_bytes(key[(2*(4*v5+0)):(2*(4*v5+0))+2], byteorder='little')) 208 | 209 | if v5 == 5 or v5 == 11: 210 | v9 -= int.from_bytes(key[(2*(v8 & 0x3f)):(2*(v8 & 0x3f))+2], byteorder='little') 211 | v8 -= int.from_bytes(key[(2*(v7 & 0x3f)):(2*(v7 & 0x3f))+2], byteorder='little') 212 | v7 -= int.from_bytes(key[(2*(v6 & 0x3f)):(2*(v6 & 0x3f))+2], byteorder='little') 213 | v6 -= int.from_bytes(key[(2*(v9 & 0x3f)):(2*(v9 & 0x3f))+2], byteorder='little') 214 | 215 | if v5 <= 0: 216 | break 217 | v5 -=1 218 | 219 | v9 = v9 & 0xffff 220 | v8 = v8 & 0xffff 221 | v7 = v7 & 0xffff 222 | v6 = v6 & 0xffff 223 | 224 | output += v6.to_bytes(2, byteorder='little') 225 | output += v7.to_bytes(2, byteorder='little') 226 | output += v8.to_bytes(2, byteorder='little') 227 | output += v9.to_bytes(2, byteorder='little') 228 | 229 | return output 230 | 231 | def ei_str(encrypted, data, key): 232 | eib_string_key = eip_decrypt(data, key) 233 | encrypted_len = len(encrypted) 234 | output = eib_secure_decode(encrypted, encrypted_len, eib_string_key) 235 | if output != '': 236 | return output 237 | else: 238 | return encrypted 239 | 240 | def usage(): 241 | print('OSX.ThiefQuest Decryption Tool v%s\n' % __VERSION__) 242 | print('Usage:\n %s [string|stringnew|network|spot] ' % (sys.argv[0])) 243 | sys.exit(1) 244 | 245 | def main(): 246 | if len(sys.argv) != 3: 247 | usage() 248 | 249 | kind = sys.argv[1] 250 | if kind not in ('string', 'stringnew', 'network', 'spot'): 251 | usage() 252 | 253 | encrypted = sys.argv[2] 254 | 255 | if kind == 'string': 256 | decrypted = ei_str(encrypted, STR_FA, STR_KEY) 257 | elif kind == 'stringnew': 258 | decrypted = ei_str(encrypted, STR_FA_NEW, STR_KEY_NEW) 259 | elif kind == 'network': 260 | key = ei_str('3cILm620z4sP2wLtV80WU3qG0000033', STR_FA, STR_KEY)[0:-1] 261 | decrypted = eib_secure_decode(encrypted, len(encrypted), key) 262 | elif kind == 'spot': 263 | key = ei_str('217{Z301RT8X3r7eIZ0{99WS0000073', STR_FA, STR_KEY)[0:-1] 264 | decrypted = eib_secure_decode(encrypted, len(encrypted), key) 265 | 266 | print(decrypted) 267 | 268 | if __name__ == "__main__": 269 | main() 270 | -------------------------------------------------------------------------------- /threat_hunting/IOCs/shlayer/urls-iocs.txt: -------------------------------------------------------------------------------- 1 | hxxps://24upgradecheck.thereadyforsafestubs.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uQ7DDCv9dCF5WJqBQw5tp8k6g3vmerTQej-4gA8X3isdw..&cid=wCG0N3B3JD1OT1FJH254GM70&sid=0a8908b6-2b52-4afe-b03e-dd688c4c24b2wCG0N3B3JD1OT1FJH254GM70&v_id=4y-JnFdiMbl-dy50dAv8IEj0EXY_sOm3KELfQq7PMwY. 2 | hxxps://downgradepc.bestcenter2content.icu/?b9zd1=OsxhHHpfuZ5A0uBdynRb_HEDW03owLLRl5HsGZve18tDgSqznaod6_zryM2Obes9tnv9ToNtLNkoYXKe1ENzzw..&cid=w6E699STI663U1FJHJVI7B76&sid=110&v_id=s0h6zR5YwfnmOijrBEeaE7KjfOpDfVOBXRl7zlF6I4U. 3 | hxxps://s3.amazonaws.com/105c1a1d-7c52-4137-81b5-33bd4b/71cf5b5/uz_9PWQ6Zk_gwBd/10A5283C825AF5?clickid=5c318d5e7edb2300011ce38f&source=2204247-2418579306-0&k=e241fe4b-14f3-e811-81f7-ed46f4389d4a&s=2b4ac251-6031-4104-aeb0-f3e93ae2e8b5&client=chrome&st=aHR0cDovL3d3dy5wcm9jZXNzYnJvd3Nlci5jb20%253d&h=VhNARxcDEgEFBxQcAgIYCQVnBwcXAQoJAQ8eBQMEHAgGAhgJCAkFBg8dEFpFGwoCBAUYBgAFBQEEHxdVDwsQVgcNAVVQAk8cAwdTCh1WDQccHAoCUw4dVlECG1cGAA0AVAdUFAETXkNRGwoRXUJZQUEJGhZDABtXQFBIXFtYR0AbVUJcEB8XSlcRD1hYXV4fF0lTWhcMHAMLABkbU1dFFBdFQEZQRA%253D%253D&a=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tLzYyN2UvMTAzMS9QbGF5ZXIuZG1nP2NsaWNraWQ9NWMzMThkNWU3ZWRiMjMwMDAxMWNlMzhmJnNvdXJjZT0yMjA0MjQ3LTI0MTg1NzkzMDYtMCZrPWUyNDFmZTRiLTE0ZjMtZTgxMS04MWY3LWVkNDZmNDM4OWQ0YSZzPTJiNGFjMjUxLTYwMzEtNDEwNC1hZWIwLWYzZTkzYWUyZThiNSZjbGllbnQ9Y2hyb21lJnN0PWFIUjBjRG92TDNkM2R5NXdjbTlqWlhOelluSnZkM05sY2k1amIyMCUyNTNk 4 | hxxp://upgradebestfreshtheclicks.icu/BIOZ122zO_2aIvtT8lJzim7Yh2pLttnyXVjG3av5hnA?clck=[CLICK_ID]&sid=11271 5 | hxxp://192.168.42.1/blocking.asp?cat_id=94&mac=C4B301C64CB7&domain=tracking.marketing 6 | hxxp://get.securybrowse.com/view/item_48575.html 7 | hxxps://app4com.thereadyforsafestubs.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uQHJCnlcQoYFXlJ-PHYnPWK20VtkaLUxUgKtNqiSCKzsQ..&cid=wQCLFRLQDTRLUFFJHH72R21O&sid=0a8908b6-2b52-4afe-b03e-dd688c4c24b2wQCLFRLQDTRLUFFJHH72R21O&v_id=PcifU2ZpTCdGvVQF62fxVeMo69kMeQajZNtIs04XN1M. 8 | hxxps://app4com.thereadyforsafestubs.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uTepszPvMPplvVjJ7lYHL1DNW40vAynjyFu9TY1pS5WXw..&cid=wGCFJEG97LM91FFJHCH3SSVQ&sid=2cd1ea47-5c41-4893-85dc-43d29e262c7ewGCFJEG97LM91FFJHCH3SSVQ&v_id=tIXi7SMa3hM81omFx5_xeZ9_G9hh8KSw2Iup8hJk0lQ. 9 | hxxp://kasefe.otlu.pw/AwFPBpuRBaJnoGv3Aw7-yWTsmWfsRH5JbzbI6r7qmtD29N5VjFf61QZF-p0-PZeKpb8ORNykk0aCs0ROQBintTL6PJFBop5veki32xTScj26Uw==?ci=084988483069593011744&n3er=2NDK4Q==&uu=lIaJhrzOpHZ6hHt8fnaHdX17hXk= 10 | hxxp://wpdtk.tribunebegin.pw/hyllkjit/97a8398c/?n=142335492 11 | hxxp://wpdtk.tribunebegin.pw/hyllkjit/fa33e00e/?n=629336344 12 | hxxp://wpdtk.tribunebegin.pw/hyllkjit/8e97253a/?n=1859276224 13 | hxxp://wpdtk.tribunebegin.pw/hyllkjit/81fcb0a5/?n=1687669274 14 | hxxp://www.apple.com-care-macbook-system.live/scan-mac/?campid=7d2a330e-b271-4b51-a858-19fed1758b72&model=Desktop&os=MacOS%2010.14%20Mojave&city=Alajuela&zn=whiskey-pah-4OqwzOVW&sc=f1be0f9b-24b9-4ef6-b115-1b6525e2d391&ip=179.48.251.227&ua=Mozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_14_1%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F71.0.3578.98%20Safari%2F537.36&browser=Chrome&browserversion=Chrome%2071&language=en&connection=BROADBAND&isp=Data%20Miners%20s.a.%20Racknation.Cr&carrier=&cep=IQcNp60p6A8YyPtQkWrq4Uy9MtfwCyDpEdsKN3xizE1g6sNtNpRaQg4zF5g0z_ZV72jTZyzRksNs5IJNmwMX8XoRm77SxEBUia93oQkEl6yzBzOgqQC3ZcSQzlqXXuAc8eQ_1i1Sjhjz46mXYXs2r_b3YxQ__LnnVqnsyIU8mEZjmVjxBKGIE-hdItjq5fuyGNxz1T2-u6vDIxYE1rjzBiYGNAC_arXM22tO2DYA0fNFLPhu0TpswdYaRq_zP_joByrqi4v03bzrmkgtMySDxTtyw0nUXnV6GDqOuU_WTTFwFyFAYa-9fvAZkAKD3BjtkJM8VpliNif5-j8fcANjdX7P4_VqtvcUd6d12kfxCk7ShspWzR8B9EsHOn-_7dEt6RWxZFd_at_1eHGvBnMwxQNmlR20LxFZr4NNZUsFur4 15 | hxxp://pxesa.peoplefrozen.pw/hyllkjit/81fcb0a5/?n=1283223056 16 | hxxp://pxesa.peoplefrozen.pw/hyllkjit/fa33e00e/?n=1848654186 17 | hxxp://nkejt.spoonwolf.pw/hyllkjit/97a8398c/?n=631789859 18 | hxxp://rlksl.dealrudolf.pw/hyllkjit/18faf9c7/?n=1853815040 19 | hxxp://rlksl.dealrudolf.pw/hyllkjit/fa33e00e/?n=72922860 20 | hxxp://rlksl.dealrudolf.pw/hyllkjit/8e97253a/?n=407005707 21 | hxxp://rlksl.dealrudolf.pw/hyllkjit/81fcb0a5/?n=126676016 22 | hxxp://rlksl.dealrudolf.pw/hyllkjit/6de876a5/?n=823754231 23 | hxxps://downgradepc.bestcenter2content.icu/?b9zd1=OsxhHHpfuZ5A0uBdynRb_HEDW03owLLRl5HsGZve18tDgSqznaod6_zryM2Obes9tnv9ToNtLNkoYXKe1ENzzw..&cid=w8QV18HD2OT9VLFJHDUEV228&sid=110&v_id=u3wizH59RPW-WVlPdyhz1ravNQoJ-g_TWt_FKcX_Smc. 24 | hxxp://www.logicalhandler.com/7GI8ktQ5XrElFcxdsMEiNbxkblu?clickid=5c3240dc3aa22300012f87ad&source=46&r=650cf2f3-51f4-e711-a367-f7801280a94b&s=4e94a3c5-be40-47b9-a4e7-643d4fc45168&client=chrome&kd=aHR0cDovL3d3dy5sb2dpY2FsaGFuZGxlci5jb20%253d&h=VhNARxcDEgEFBxQcAgIYCQZnBQ8XBAYJBg4eAAIPFQQHBhgJCAkFBg8dEFpFGwoCAAIdAgEFAgkIHxdVDwsQBQAJU1UHUB4cBwJTDR1WAgccHFMAAw4dVQIOHQAACwVYCQdXFAETXkNRGwoRXUJZQQgcGk5HRBtaQlZbUFRVWFJbUkFUQB1WVl0RGRReVhAJW0xcXxkUXVJbEQ8IAAsZFE5VQhEPTUJGUEs%253D&a=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2I4MjM5OWExLTI3LzIwNjU1YjNjLTFmYjYtNGNkNS1iNzVjLTdmYTAvMWUyNmZkYjUtMjMzMS00Y2I3LTk2Y2UtNWExYi9QbGF5ZXIuZG1nP2NsaWNraWQ9NWMzMjQwZGMzYWEyMjMwMDAxMmY4N2FkJnNvdXJjZT00NiZyPTY1MGNmMmYzLTUxZjQtZTcxMS1hMzY3LWY3ODAxMjgwYTk0YiZzPTRlOTRhM2M1LWJlNDAtNDdiOS1hNGU3LTY0M2Q0ZmM0NTE2OCZjbGllbnQ9Y2hyb21lJmtkPWFIUjBjRG92TDNkM2R5NXNiMmRwWTJGc2FHRnVaR3hsY2k1amIyMCUyNTNk 25 | hxxp://www.enginetransaction.com/jy5exV3z6XH3dnB?clickid=5c3241393aa22300012fb8db&source=46&r=650cf2f3-51f4-e711-a367-f7801280a94b&s=f3134dfa-5635-4977-b79c-941c59c10fde&client=chrome&kd=aHR0cDovL3d3dy5lbmdpbmV0cmFuc2FjdGlvbi5jb20%253d&h=VhNARxcDEgEFBxQcAgIYCQZnBQ8XBAQJBAkeBQ0BGwUAARgJCAkFBg8dEFpFGwoCAAIdAgEFAgkIHxdVDwsQBQAJU1UHUB4cBwJTDR1WAgccHFMAAw4dVQIOHQAACwVYCQdXFAETXkNRGwoRXUJZQQgcGk5HRBtTQ1ZbXVBNQlJbRUxSRlpaVx5QWlsPHRBAUhsKXUBaQR0QQ1ZQEgkEBhUdEFBRSRIJQURYVE8%253D&x=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2I4MjM5OWExLTI3LzIwNjU1YjNjLTFmYjYtNGNkNS1iNzVjLTdmYTAvMWUyNmZkYjUtMjMzMS00Y2I3LTk2Y2UtNWExYi9QbGF5ZXIuZG1nP2NsaWNraWQ9NWMzMjQxMzkzYWEyMjMwMDAxMmZiOGRiJnNvdXJjZT00NiZyPTY1MGNmMmYzLTUxZjQtZTcxMS1hMzY3LWY3ODAxMjgwYTk0YiZzPWYzMTM0ZGZhLTU2MzUtNDk3Ny1iNzljLTk0MWM1OWMxMGZkZSZjbGllbnQ9Y2hyb21lJmtkPWFIUjBjRG92TDNkM2R5NWxibWRwYm1WMGNtRnVjMkZqZEdsdmJpNWpiMjAlMjUzZA%3d%3d 26 | hxxp://www.logicalhandler.com/7GI8ktQ5XrElFcxdsMEiNbxkblu?clickid=5c3240dc3aa22300012f87ad&source=46&r=650cf2f3-51f4-e711-a367-f7801280a94b&s=4e94a3c5-be40-47b9-a4e7-643d4fc45168&client=chrome&kd=aHR0cDovL3d3dy5sb2dpY2FsaGFuZGxlci5jb20%253d&h=VhNARxcDEgEFBxQcAgIYCQZnBQ8XBAYJBg4eAAIPFQQHBhgJCAkFBg8dEFpFGwoCAAIdAgEFAgkIHxdVDwsQBQAJU1UHUB4cBwJTDR1WAgccHFMAAw4dVQIOHQAACwVYCQdXFAETXkNRGwoRXUJZQQgcGk5HRBtaQlZbUFRVWFJbUkFUQB1WVl0RGRReVhAJW0xcXxkUXVJbEQ8IAAsZFE5VQhEPTUJGUEs%253D&a=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2I4MjM5OWExLTI3LzIwNjU1YjNjLTFmYjYtNGNkNS1iNzVjLTdmYTAvMWUyNmZkYjUtMjMzMS00Y2I3LTk2Y2UtNWExYi9QbGF5ZXIuZG1nP2NsaWNraWQ9NWMzMjQwZGMzYWEyMjMwMDAxMmY4N2FkJnNvdXJjZT00NiZyPTY1MGNmMmYzLTUxZjQtZTcxMS1hMzY3LWY3ODAxMjgwYTk0YiZzPTRlOTRhM2M1LWJlNDAtNDdiOS1hNGU3LTY0M2Q0ZmM0NTE2OCZjbGllbnQ9Y2hyb21lJmtkPWFIUjBjRG92TDNkM2R5NXNiMmRwWTJGc2FHRnVaR3hsY2k1amIyMCUyNTNk 27 | hxxps://s3.amazonaws.com/201842/2132/4_GiRHcDIkyMVwj7RMtz/o5Ed45?cid=zr0629a0f5241711e9babc0a436f77c5728250625bbbdb4c2c9bc0bd7e411b6a520357585400e8db48fe&source=whiskey-pah-4OqwzOVW&c=05212224-fa17-e911-81f7-ed46f4389d4a&s=0a9c8e8e-8515-46f7-994e-1ffb30a23342&client=chrome&st=aHR0cDovL3d3dy5kaXNwbGF5dXBkYXRlci5jb20%253d&h=VhNARxcDEgEFBxQcAgIYCwlnBAIXBQMJBgoeAgMEHAUABRgJCAkFBg8dEFpFGwoBAwIfBAYGAwwAHxdVDwsQAwALAQEHBBkcVFIEDh1WDAccHAoCUw4dVlECG1cGAA0AVAdUFAETXkNRGwoRXUJZQUEJGhZDABtXQFBIXFtYR0AbVUJcEB8XSlcRD1hYXV4fF0lTWhcMGwEFHxdaVEMXDFlDR1ZI&e=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tLzEyMzQ4NzEvNDIyMTI0YWItMzE2Mi00ZGI5LTliMTMtM2Q3L1BsYXllci5kbWc%2fY2lkPXpyMDYyOWEwZjUyNDE3MTFlOWJhYmMwYTQzNmY3N2M1NzI4MjUwNjI1YmJiZGI0YzJjOWJjMGJkN2U0MTFiNmE1MjAzNTc1ODU0MDBlOGRiNDhmZSZzb3VyY2U9d2hpc2tleS1wYWgtNE9xd3pPVlcmYz0wNTIxMjIyNC1mYTE3LWU5MTEtODFmNy1lZDQ2ZjQzODlkNGEmcz0wYTljOGU4ZS04NTE1LTQ2ZjctOTk0ZS0xZmZiMzBhMjMzNDImY2xpZW50PWNocm9tZSZzdD1hSFIwY0RvdkwzZDNkeTVrYVhOd2JHRjVkWEJrWVhSbGNpNWpiMjAlMjUzZA%3d%3d 28 | hxxps://www.realtor.com/apartments/Longmont_CO?cid=dsp_uu_amp_rentals_srp_ron&content_id=amp1548803098010300000 29 | hxxp://mixtypecloudtheclicks.icu/sirANW0H-2OMo16FohcSS02K0yLQUuGkTvPBLRkNx9o?cid=wHT9FTI9MVF95V0K1BGL3VKI&sid=110 30 | hxxps://nowversion.thebeststubcontentingfrees.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uRyRJiajHz1hMDtR-iRj5ufL6rWgkd_gQ2bJxg6fckJbw..&cid=wNOGS1PMQ01VBV0K1DP50OF2&sid=adr-0a8908b6-2b52-4afe-b03e-dd688c4c24b2&v_id=7ZuztumcaV0hCIw_ZYmfmm7WS4ikJ3qEBrxlg5gik2A. 31 | hxxps://s3.amazonaws.com/17154/j7bpR4t5AEGcg/nxZC/j6pNI?cid=zr21b1bf21243e11e9833a0ab01d201722d65823a254ab46bda4ffdc1f94dc60f90357634d19206c4a5f&source=whiskey-pah-4OqwzOVW&r=25271001-be68-e811-81f7-ed46f4389d4a&s=f75758c7-ff77-455a-999a-34e03e6041f1&client=chrome&rsm=aHR0cDovL3d3dy5wcm90b2NvbGFkbWluLmNvbQ%253d%253d&h=VhdLQxoLGwoGBBQYCQYVAwBsBwwXBwgNCwAXCAEBHQUBARUBAQIGBQ8ZG15IEwMNBAUUDA0ACAUVGlUXFxcLAgoGCAgGBABXXAEAHFwABwQADQhRDxxcXAIDSwEKDwFVDVkUGQ9ZSVMaCxtQQkFdRgMYF0IKFldYTE9WWVlGShZVWkAXFRVLVhsCWEBBWRUVSFJQGgwNHAYVFVtVSRoMQV9AXEo%253D&a=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tLzE1MTkvNDU1NzQvNTcwNDEvUGxheWVyLmRtZz9jaWQ9enIyMWIxYmYyMTI0M2UxMWU5ODMzYTBhYjAxZDIwMTcyMmQ2NTgyM2EyNTRhYjQ2YmRhNGZmZGMxZjk0ZGM2MGY5MDM1NzYzNGQxOTIwNmM0YTVmJnNvdXJjZT13aGlza2V5LXBhaC00T3F3ek9WVyZyPTI1MjcxMDAxLWJlNjgtZTgxMS04MWY3LWVkNDZmNDM4OWQ0YSZzPWY3NTc1OGM3LWZmNzctNDU1YS05OTlhLTM0ZTAzZTYwNDFmMSZjbGllbnQ9Y2hyb21lJnJzbT1hSFIwY0RvdkwzZDNkeTV3Y205MGIyTnZiR0ZrYldsdUxtTnZiUSUyNTNkJTI1M2Q%3d 32 | hxxps://s3.amazonaws.com/7fcf0762-4689-42fd/t9_p_fVcDUWb/gBpa/ef44?cid=zr29cf36e6244511e982e912a18e02c6d22187612062ce4032835d968a36071216035764dd51886171fd&source=whiskey-pah-4OqwzOVW&r=25271001-be68-e811-81f7-ed46f4389d4a&s=40c61f36-71b7-41b1-917e-dc60a1c8ddba&client=chrome&kd=aHR0cDovL3d3dy5wcm90b2NvbGFkbWluLmNvbQ%253d%253d&h=VhdLQxoLGwoGBBQYCQYVAwBsBAUXBAgNDQAXDQYDHwABBBUBAQIGBQ8ZG15IEwMJBQ0fAQsGCwELFBRWDw8bBQ0DDgkGBRwYW1IOCRRdDgQcGAEGXgYUXVIBG1MNBAAIXQxXFwEXVUdcEwMaXkFZRUoNFx5KCxhUQFRDWFZQTksYVkJYGxsaQl4aDFtYWVUbGkFaURQPFQQKGxpSXUgUD1lHTFJF&x=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2YxMDQ5ZWQzLWM3OWQtNDM3NS1hZjUvRjdDQi8yNDBBL1BsYXllci5kbWc%2fY2lkPXpyMjljZjM2ZTYyNDQ1MTFlOTgyZTkxMmExOGUwMmM2ZDIyMTg3NjEyMDYyY2U0MDMyODM1ZDk2OGEzNjA3MTIxNjAzNTc2NGRkNTE4ODYxNzFmZCZzb3VyY2U9d2hpc2tleS1wYWgtNE9xd3pPVlcmcj0yNTI3MTAwMS1iZTY4LWU4MTEtODFmNy1lZDQ2ZjQzODlkNGEmcz00MGM2MWYzNi03MWI3LTQxYjEtOTE3ZS1kYzYwYTFjOGRkYmEmY2xpZW50PWNocm9tZSZrZD1hSFIwY0RvdkwzZDNkeTV3Y205MGIyTnZiR0ZrYldsdUxtTnZiUSUyNTNkJTI1M2Q%3d 33 | hxxps://s3.amazonaws.com/19e69f51-16/NYNw/A691/4556?cid=zr5e2ac0d7251211e9b25412b4464a265e5936a4406f5e410b9917b3830a67911b0357888ee307a2abf0&source=whiskey-pah-4OqwzOVW&r=25271001-be68-e811-81f7-ed46f4389d4a&s=5b8afe22-d692-4959-a8cb-a9274f27e314&client=chrome&kd=aHR0cDovL3d3dy5wcm90b2NvbGFkbWluLmNvbQ%253d%253d&h=VhdLQxoLGwoGBBQYCQYVAglsBAUXAQkNDAQXDAMHGgEIGggJAwgGFwEXUEcaCwwKBgwUAQ4HDB0bWxQPDwcMBQ8ACQgHGE9QDw8VVAEJBxgVBF8AFVRdDABTGQYBDlwFWBoaF0FFXRUCE1FMQkVeDxYYSwIXWVtUV1pXVk9CF1tZWA8ZG0RfEwNWQ1lBGRtHW1gbAg4EHhkbVFxBGwJCR1hQRA%253D%253D&t=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL3Y0cDVvcnYvNjY2MS8xNTQxL1BsYXllci5kbWc%2fY2lkPXpyNWUyYWMwZDcyNTEyMTFlOWIyNTQxMmI0NDY0YTI2NWU1OTM2YTQ0MDZmNWU0MTBiOTkxN2IzODMwYTY3OTExYjAzNTc4ODhlZTMwN2EyYWJmMCZzb3VyY2U9d2hpc2tleS1wYWgtNE9xd3pPVlcmcj0yNTI3MTAwMS1iZTY4LWU4MTEtODFmNy1lZDQ2ZjQzODlkNGEmcz01YjhhZmUyMi1kNjkyLTQ5NTktYThjYi1hOTI3NGYyN2UzMTQmY2xpZW50PWNocm9tZSZrZD1hSFIwY0RvdkwzZDNkeTV3Y205MGIyTnZiR0ZrYldsdUxtTnZiUSUyNTNkJTI1M2Q%3d 34 | hxxps://noteupgrade.freeandgreatappsite.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uT484-tX24lKkBrLUskBAz74nF6jyLy6Gbsnec9A0U__g..&cid=w5O5LCU2181E5S1K1AQQMRKI&sid=adr-5a0295df-c96e-4067-97e9-384f9ea541df&v_id=AYMw58RlV80oBMHRI5NxPj_Ft1IXRXpV9yLFsoCm4tM. 35 | hxxps://readyupdate.freeandgreatappsite.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uRpuOC2AGugyGOKprT0RwYwpe7qs_cN2ghLjd9fk65Rog..&cid=wDSMIEMKF1OQCS1KHOFDJU9U&sid=adr-5a0295df-c96e-4067-97e9-384f9ea541df&v_id=ViU3Thgnoqey0Iq8Fhzv9HeZvqluKvWWF-WfJjbznQA. 36 | hxxps://s3.amazonaws.com/88ed85e4-f7a1-4a8d-acb0-6109947e425/FA6C9477CC3A6B4AA2/127169/H8T9WJ_l?cid=w704NEBF6146J86K19JU681L&fn=your_file_1549412564120&source=340&c=710216a0-c59b-e811-81f7-ed46f4389d4a&s=845983c0-f323-44ca-b647-5e7fec3cd7d8&client=chrome&st=aHR0cDovL3d3dy51cGdyYWRlbW9kdWxlLmNvbQ%253d%253d&h=VhdLQxoLGwoGBBQYCQUVAQxsBwMXBwsNDAQXDwEEGgENBBUBAQIGBQ8ZG15IEwMLAg0YBw4AAAEPFBRWDw8bAAkBCwkAVB0YWgIBUxRdDgQcGAEGXgYUXVIBG1MNBAAIXQxXFwEXVUdcEwMaXkFZRUoNFx5KCxhUQFRDWFZQTksYVkJYGxsaQl4aDFtYWVUbGkFaURQPFAMPGxpSXUgUD1lHTFJF&e=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tLzdmNTljMDlmLTNjMTgtNDFlMy05ZDhmLWVkZDBhMC9fUTk2L3lvdXJfZmlsZV8xNTQ5NDEyNTY0MTIwLmRtZz9jaWQ9dzcwNE5FQkY2MTQ2Sjg2SzE5SlU2ODFMJmZuPXlvdXJfZmlsZV8xNTQ5NDEyNTY0MTIwJnNvdXJjZT0zNDAmYz03MTAyMTZhMC1jNTliLWU4MTEtODFmNy1lZDQ2ZjQzODlkNGEmcz04NDU5ODNjMC1mMzIzLTQ0Y2EtYjY0Ny01ZTdmZWMzY2Q3ZDgmY2xpZW50PWNocm9tZSZzdD1hSFIwY0RvdkwzZDNkeTUxY0dkeVlXUmxiVzlrZFd4bExtTnZiUSUyNTNkJTI1M2Q%3d 37 | hxxp://mixtypedowngradetheclicks.icu/MyWV7jx0rr46AURogK5cLOzKvNbFgNNdxtdRobUeOe4?sid=222857&clck=2525703377 38 | -------------------------------------------------------------------------------- /remediation/HiveNightMare/README.md: -------------------------------------------------------------------------------- 1 | # HiveNightmare CVE-2021-36934 Mitigation 2 | ​ 3 | ## References 4 | [Microsoft Bulletin](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934) 5 | [CERT Coordination Center Bullentin](https://www.kb.cert.org/vuls/id/506989) 6 | ​ 7 | ## Summary 8 | On July 20, 2021, Microsoft released a bulletin regarding CVE-2021-36934. This specific vulnerability affects **Windows 10 version 1809** and newer operating systems, and provides read and execute **(“RX”)** permissions to any account in the **“BUILTIN\Users”** group of the **%windir%\system32\config** directory. The BUILTIN\Users group includes any accounts in the Authenticated Users group (anyone logged into the system) and the Domain Users group (which is a global group that, by default, includes all user accounts in a domain). 9 | ​ 10 | This allows any valid user account to access a typically restricted directory, which contains, among other files, copies of the Security Accounts Manager (SAM) registry hive if the system was currently leveraging the Volume Shadow Copy Service (VSS). The SAM, or other files, could then be leveraged to obtain user account password hashes or perform numerous other techniques. 11 | ​ 12 | ​ 13 | ## Description 14 | This will restrict access to the **%windir%\system32\config** directory by enabling the inheritance level of files in the directory, as well as removing previously created volume shadow copies. As new shadow copies are created they will have the appropriate permissions to not allow privilege users access to those files. 15 | ​ 16 | ​ 17 | ## Examples 18 | ### Check System 19 | ``` 20 | .\HiveNightmare.ps1 21 | --------------------- 22 | --System Vulnerable-- 23 | --------------------- 24 | ``` 25 | 26 | ### Mitigate System 27 | ``` 28 | .\HiveNightmare.ps1 -mitigate 29 | --------------------- 30 | --System Vulnerable-- 31 | --------------------- 32 | Updating folder permissions for C:\WINDOWS\system32\config 33 | processed file: C:\WINDOWS\system32\config\BBI 34 | processed file: C:\WINDOWS\system32\config\BBI.LOG1 35 | processed file: C:\WINDOWS\system32\config\BBI.LOG2 36 | processed file: C:\WINDOWS\system32\config\bbimigrate 37 | processed file: C:\WINDOWS\system32\config\BBI{53b39ea0-18c4-11ea-a811-000d3aa4692b}.TM.blf 38 | processed file: C:\WINDOWS\system32\config\BBI{53b39ea0-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 39 | processed file: C:\WINDOWS\system32\config\BBI{53b39ea0-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 40 | processed file: C:\WINDOWS\system32\config\BCD-Template 41 | processed file: C:\WINDOWS\system32\config\BCD-Template.LOG 42 | processed file: C:\WINDOWS\system32\config\BCD-Template.LOG1 43 | processed file: C:\WINDOWS\system32\config\BCD-Template.LOG2 44 | processed file: C:\WINDOWS\system32\config\COMPONENTS 45 | processed file: C:\WINDOWS\system32\config\COMPONENTS.LOG1 46 | processed file: C:\WINDOWS\system32\config\COMPONENTS.LOG2 47 | processed file: C:\WINDOWS\system32\config\COMPONENTS{53b39e63-18c4-11ea-a811-000d3aa4692b}.TM.blf 48 | processed file: C:\WINDOWS\system32\config\COMPONENTS{53b39e63-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 49 | processed file: C:\WINDOWS\system32\config\COMPONENTS{53b39e63-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 50 | processed file: C:\WINDOWS\system32\config\DEFAULT 51 | processed file: C:\WINDOWS\system32\config\DEFAULT.LOG1 52 | processed file: C:\WINDOWS\system32\config\DEFAULT.LOG2 53 | processed file: C:\WINDOWS\system32\config\DEFAULT{53b39e7c-18c4-11ea-a811-000d3aa4692b}.TM.blf 54 | processed file: C:\WINDOWS\system32\config\DEFAULT{53b39e7c-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 55 | processed file: C:\WINDOWS\system32\config\DEFAULT{53b39e7c-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 56 | processed file: C:\WINDOWS\system32\config\DRIVERS 57 | processed file: C:\WINDOWS\system32\config\DRIVERS.LOG1 58 | processed file: C:\WINDOWS\system32\config\DRIVERS.LOG2 59 | processed file: C:\WINDOWS\system32\config\DRIVERS{53b39e70-18c4-11ea-a811-000d3aa4692b}.TM.blf 60 | processed file: C:\WINDOWS\system32\config\DRIVERS{53b39e70-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 61 | processed file: C:\WINDOWS\system32\config\DRIVERS{53b39e70-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 62 | processed file: C:\WINDOWS\system32\config\ELAM 63 | processed file: C:\WINDOWS\system32\config\ELAM.LOG1 64 | processed file: C:\WINDOWS\system32\config\ELAM.LOG2 65 | processed file: C:\WINDOWS\system32\config\ELAM{53b39eac-18c4-11ea-a811-000d3aa4692b}.TM.blf 66 | processed file: C:\WINDOWS\system32\config\ELAM{53b39eac-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 67 | processed file: C:\WINDOWS\system32\config\ELAM{53b39eac-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 68 | processed file: C:\WINDOWS\system32\config\Journal 69 | processed file: C:\WINDOWS\system32\config\RegBack 70 | processed file: C:\WINDOWS\system32\config\SAM 71 | processed file: C:\WINDOWS\system32\config\SAM.LOG1 72 | processed file: C:\WINDOWS\system32\config\SAM.LOG2 73 | processed file: C:\WINDOWS\system32\config\SAM{53b39e57-18c4-11ea-a811-000d3aa4692b}.TM.blf 74 | processed file: C:\WINDOWS\system32\config\SAM{53b39e57-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 75 | processed file: C:\WINDOWS\system32\config\SAM{53b39e57-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 76 | processed file: C:\WINDOWS\system32\config\SECURITY 77 | processed file: C:\WINDOWS\system32\config\SECURITY.LOG1 78 | processed file: C:\WINDOWS\system32\config\SECURITY.LOG2 79 | processed file: C:\WINDOWS\system32\config\SECURITY{53b39e4b-18c4-11ea-a811-000d3aa4692b}.TM.blf 80 | processed file: C:\WINDOWS\system32\config\SECURITY{53b39e4b-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 81 | processed file: C:\WINDOWS\system32\config\SECURITY{53b39e4b-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 82 | processed file: C:\WINDOWS\system32\config\SOFTWARE 83 | processed file: C:\WINDOWS\system32\config\SOFTWARE.LOG1 84 | processed file: C:\WINDOWS\system32\config\SOFTWARE.LOG2 85 | processed file: C:\WINDOWS\system32\config\SOFTWARE{53b39e2f-18c4-11ea-a811-000d3aa4692b}.TM.blf 86 | processed file: C:\WINDOWS\system32\config\SOFTWARE{53b39e2f-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 87 | processed file: C:\WINDOWS\system32\config\SOFTWARE{53b39e2f-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 88 | processed file: C:\WINDOWS\system32\config\SYSTEM 89 | processed file: C:\WINDOWS\system32\config\SYSTEM.LOG1 90 | processed file: C:\WINDOWS\system32\config\SYSTEM.LOG2 91 | processed file: C:\WINDOWS\system32\config\systemprofile 92 | processed file: C:\WINDOWS\system32\config\SYSTEM{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TM.blf 93 | processed file: C:\WINDOWS\system32\config\SYSTEM{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 94 | processed file: C:\WINDOWS\system32\config\SYSTEM{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 95 | processed file: C:\WINDOWS\system32\config\TxR 96 | processed file: C:\WINDOWS\system32\config\userdiff 97 | processed file: C:\WINDOWS\system32\config\userdiff.LOG1 98 | processed file: C:\WINDOWS\system32\config\userdiff.LOG2 99 | Successfully processed 66 files; Failed processing 0 files 100 | Successfully Updated folder permissions for C:\WINDOWS\system32\config 101 | Deleting Volume Shadow Copies of System Drive 102 | -------------------- 103 | --System Mitigated-- 104 | -------------------- 105 | Warning: Running this mitigation script will remove all SystemDrive shadow copies. This will prevent restoration - the backups are deleted. It is recommended to run a comma 106 | nd like this to create a fresh, properly permissioned shadow copy following mitigation: (gwmi -list win32_shadowcopy).Create("$env:systemdrive\",'ClientAccessible') 107 | ``` 108 | ​ 109 | ​ 110 | ## Live Response Wrapper 111 | ​ 112 | The HiveNightmare-LR.py script is a wrapper for executing the HiveNightmare.ps1 script remotely via the VMware Carbon Black Cloud API. 113 | **cbapi-python** is required installation instructions can be found here [cbapi-python-install](https://cbapi.readthedocs.io/en/latest/installation.html) 114 | ​ 115 | Usage: 116 | ```Python 117 | usage: HiveNightmare-LR.py [-h] [--hostname HOSTNAME] [--check] [--mitigate] [--orgprofile ORGPROFILE] 118 | 119 | optional arguments: 120 | -h, --help show this help message and exit 121 | --hostname HOSTNAME hostname to run host forensics recon on 122 | --check Check the system for the vulnerable system32\config files 123 | --mitigate Mitigate the vulnerable system's vulnerable system32\config files 124 | --orgprofile ORGPROFILE 125 | Select your cbapi credential profile 126 | ``` 127 | ​ 128 | ## Example 129 | ### Check System 130 | ``` 131 | ​python HiveNightmare-LR.py --hostname NightMare --check 132 | 133 | [ * ] Establishing LiveResponse Session with Remote Host: 134 | - Hostname: NightMare 135 | - OS Version: Windows 10 x64 136 | - Sensor Version: 3.7.0.1253 137 | - AntiVirus Status: ['AV_ACTIVE', 'ONACCESS_SCAN_DISABLED', 'ONDEMAND_SCAN_DISABLED'] 138 | - Internal IP Address: 172.16.40.10 139 | - External IP Address: 257.275.295.265 140 | 141 | [ * ] Uploading HiveNightmare.ps1 to the remote host 142 | [ * ] Checking the system for vulnerable system32\config files: 143 | 144 | --------------------- 145 | --System Vulnerable-- 146 | --------------------- 147 | 148 | [ * ] Removing HiveNightmare.ps1 149 | ``` 150 | ### Mitigate System 151 | 152 | ``` 153 | python HiveNightmare-LR.py --hostname NightMare --mitigate 154 | 155 | [ * ] Establishing LiveResponse Session with Remote Host: 156 | - Hostname: NightMare 157 | - OS Version: Windows 10 x64 158 | - Sensor Version: 3.7.0.1253 159 | - AntiVirus Status: ['AV_ACTIVE', 'ONACCESS_SCAN_DISABLED', 'ONDEMAND_SCAN_DISABLED'] 160 | - Internal IP Address: 172.16.40.10 161 | - External IP Address: 257.275.295.265 162 | 163 | [ * ] Uploading HiveNightmare.ps1 to the remote host 164 | [ * ] Mitigating the vulnerable system32\config files: 165 | 166 | --------------------- 167 | --System Vulnerable-- 168 | --------------------- 169 | Updating folder permissions for C:\WINDOWS\system32\config 170 | processed file: C:\WINDOWS\system32\config\BBI 171 | processed file: C:\WINDOWS\system32\config\BBI.LOG1 172 | processed file: C:\WINDOWS\system32\config\BBI.LOG2 173 | processed file: C:\WINDOWS\system32\config\bbimigrate 174 | processed file: C:\WINDOWS\system32\config\BBI{53b39ea0-18c4-11ea-a811-000d3aa4692b}.TM.blf 175 | processed file: C:\WINDOWS\system32\config\BBI{53b39ea0-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 176 | processed file: C:\WINDOWS\system32\config\BBI{53b39ea0-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 177 | processed file: C:\WINDOWS\system32\config\BCD-Template 178 | processed file: C:\WINDOWS\system32\config\BCD-Template.LOG 179 | processed file: C:\WINDOWS\system32\config\BCD-Template.LOG1 180 | processed file: C:\WINDOWS\system32\config\BCD-Template.LOG2 181 | processed file: C:\WINDOWS\system32\config\COMPONENTS 182 | processed file: C:\WINDOWS\system32\config\COMPONENTS.LOG1 183 | processed file: C:\WINDOWS\system32\config\COMPONENTS.LOG2 184 | processed file: C:\WINDOWS\system32\config\COMPONENTS{53b39e63-18c4-11ea-a811-000d3aa4692b}.TM.blf 185 | processed file: C:\WINDOWS\system32\config\COMPONENTS{53b39e63-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 186 | processed file: C:\WINDOWS\system32\config\COMPONENTS{53b39e63-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 187 | processed file: C:\WINDOWS\system32\config\DEFAULT 188 | processed file: C:\WINDOWS\system32\config\DEFAULT.LOG1 189 | processed file: C:\WINDOWS\system32\config\DEFAULT.LOG2 190 | processed file: C:\WINDOWS\system32\config\DEFAULT{53b39e7c-18c4-11ea-a811-000d3aa4692b}.TM.blf 191 | processed file: C:\WINDOWS\system32\config\DEFAULT{53b39e7c-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 192 | processed file: C:\WINDOWS\system32\config\DEFAULT{53b39e7c-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 193 | processed file: C:\WINDOWS\system32\config\DRIVERS 194 | processed file: C:\WINDOWS\system32\config\DRIVERS.LOG1 195 | processed file: C:\WINDOWS\system32\config\DRIVERS.LOG2 196 | processed file: C:\WINDOWS\system32\config\DRIVERS{53b39e70-18c4-11ea-a811-000d3aa4692b}.TM.blf 197 | processed file: C:\WINDOWS\system32\config\DRIVERS{53b39e70-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 198 | processed file: C:\WINDOWS\system32\config\DRIVERS{53b39e70-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 199 | processed file: C:\WINDOWS\system32\config\ELAM 200 | processed file: C:\WINDOWS\system32\config\ELAM.LOG1 201 | processed file: C:\WINDOWS\system32\config\ELAM.LOG2 202 | processed file: C:\WINDOWS\system32\config\ELAM{53b39eac-18c4-11ea-a811-000d3aa4692b}.TM.blf 203 | processed file: C:\WINDOWS\system32\config\ELAM{53b39eac-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 204 | processed file: C:\WINDOWS\system32\config\ELAM{53b39eac-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 205 | processed file: C:\WINDOWS\system32\config\Journal 206 | processed file: C:\WINDOWS\system32\config\RegBack 207 | processed file: C:\WINDOWS\system32\config\SAM 208 | processed file: C:\WINDOWS\system32\config\SAM.LOG1 209 | processed file: C:\WINDOWS\system32\config\SAM.LOG2 210 | processed file: C:\WINDOWS\system32\config\SAM{53b39e57-18c4-11ea-a811-000d3aa4692b}.TM.blf 211 | processed file: C:\WINDOWS\system32\config\SAM{53b39e57-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 212 | processed file: C:\WINDOWS\system32\config\SAM{53b39e57-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 213 | processed file: C:\WINDOWS\system32\config\SECURITY 214 | processed file: C:\WINDOWS\system32\config\SECURITY.LOG1 215 | processed file: C:\WINDOWS\system32\config\SECURITY.LOG2 216 | processed file: C:\WINDOWS\system32\config\SECURITY{53b39e4b-18c4-11ea-a811-000d3aa4692b}.TM.blf 217 | processed file: C:\WINDOWS\system32\config\SECURITY{53b39e4b-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 218 | processed file: C:\WINDOWS\system32\config\SECURITY{53b39e4b-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 219 | processed file: C:\WINDOWS\system32\config\SOFTWARE 220 | processed file: C:\WINDOWS\system32\config\SOFTWARE.LOG1 221 | processed file: C:\WINDOWS\system32\config\SOFTWARE.LOG2 222 | processed file: C:\WINDOWS\system32\config\SOFTWARE{53b39e2f-18c4-11ea-a811-000d3aa4692b}.TM.blf 223 | processed file: C:\WINDOWS\system32\config\SOFTWARE{53b39e2f-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 224 | processed file: C:\WINDOWS\system32\config\SOFTWARE{53b39e2f-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 225 | processed file: C:\WINDOWS\system32\config\SYSTEM 226 | processed file: C:\WINDOWS\system32\config\SYSTEM.LOG1 227 | processed file: C:\WINDOWS\system32\config\SYSTEM.LOG2 228 | processed file: C:\WINDOWS\system32\config\systemprofile 229 | processed file: C:\WINDOWS\system32\config\SYSTEM{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TM.blf 230 | processed file: C:\WINDOWS\system32\config\SYSTEM{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms 231 | processed file: C:\WINDOWS\system32\config\SYSTEM{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms 232 | processed file: C:\WINDOWS\system32\config\TxR 233 | processed file: C:\WINDOWS\system32\config\userdiff 234 | processed file: C:\WINDOWS\system32\config\userdiff.LOG1 235 | processed file: C:\WINDOWS\system32\config\userdiff.LOG2 236 | Successfully processed 66 files; Failed processing 0 files 237 | Successfully Updated folder permissions for C:\WINDOWS\system32\config 238 | Deleting Volume Shadow Copies of System Drive 239 | -------------------- 240 | --System Mitigated-- 241 | -------------------- 242 | Warning: Running this mitigation script will remove all SystemDrive shadow copies. This will prevent restoration - the backups are deleted. It is recommended to run a command like this to create a fresh, properly permissioned shadow copy following mitigation: (gwmi -list win32_shadowcopy).Create("$env:systemdrive\",'ClientAccessible') 243 | 244 | [ * ] Removing HiveNightmare.ps1 245 | ``` 246 | 247 | 248 | ​ 249 | This script is compatible with the full VMware Carbon Black Cloud API and requires the python cbapi --------------------------------------------------------------------------------