joeavanzato / trawler Goto Github PK
View Code? Open in Web Editor NEWPowerShell script to help Incident Responders discover potential adversary persistence mechanisms.
License: MIT License
PowerShell script to help Incident Responders discover potential adversary persistence mechanisms.
License: MIT License
Currently we are using PowerShell cmdlets to retrieve this information - need to get the same information from the files directly for use in deadbox analysis.
I have a thought on a somewhat easy way to transition from csv to json if that is something that you're interested in. In quite a few places where detections are created to be output they look similar to this:
$detection = [PSCustomObject]@{
Name = 'Narrator Missing DLL is Present'
Risk = 'Medium'
Source = 'Windows Narrator'
Technique = "T1546: Event Triggered Execution"
Meta = "File: "+$item.FullName+", Created: "+$item.CreationTime+", Last Modified: "+$item.LastWriteTime
}
I think we could take the Metadata and use the object directly so it will convert to json better. i.e.:
$detection = [PSCustomObject]@{
Name = 'Narrator Missing DLL is Present'
Risk = 'Medium'
Source = 'Windows Narrator'
Technique = "T1546: Event Triggered Execution"
Meta = $item | Select FullName, CreationTime, LastWriteTime
}
This way we are able to convert the PSCustomObject into proper json using the headers that correlate to the object. I think a couple helper methods could be created to easily convert to either json or csv with somewhat minimal uplift.
For offline drive analysis, we cannot directly query CIM classes for obvious reasons.
Data related to WMI is stored in a few locations, provided below;
C:\Windows\System32\wbem\Repository\OBJECTS.DATA - Objects managed by WMI
C:\Windows\System32\wbem\Repository\INDEX.BTR - Index of files imported into OBJECTS.DATA
C:\Windows\System32\wbem\Repository\MAPPING*.MAP - Related OBJECTS.DATA with INDEX.BTR
Reference: https://netsecninja.github.io/dfir-notes/wmi-forensics/
A mechanism must be developed to, at minimum, extract CommandLine/Script FilterToConsumer Bindings to help assist alerting on suspicious CIM objects.
Multiple tools exist for this, taking slightly different approaches;
Need to research the above and determine what is enough for this use-case - probably the basic regex scan will work 'good enough' for detecting the relevant FilterToConsumer bindings for offline boxes but need to test first.
On line 15,139 of trawler.ps1 there is a variable named "$finhert", which I believe should be "$finherit" (with an i) as it is in the following lines. This is in the function "Check-TerminalServicesInitialProgram".
It's a bit dated by now but take a look at these launch points, in case there is something useful there that you aren't taking into account yet.
Currently, the code base lacks any form of testing - Pester tests should be developed to help keep development stable and ensure that functionality is not impacted when making any changes.
WARNING: Regex Error while parsing string: C:\\Program Files (x86)\Google\Update\.\psmachine..dll
WARNING: Please report this issue at https://github.com/joeavanzato/Trawler/issues
Will likely use https://github.com/mgreen27/Invoke-BitsParser or a variation for this since the hard work has already been done. Just need to cherry-pick and refactor for my own needs on this one.
In function Check-TrustProviderDLL
the pwrshsip.dll
can also be found in C:\Windows\System32
.
I got a script error when it was in the Registry parsing part.
parsing "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\.*\psmachine.*\.dll" - Malformed \p{X} character escape.
At C:\Users\MyName\Downloads\trawler.ps1:11400 char:37
+ ... if ($_.Value -match $default_hklm_com_lookups[$data.Name]){
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException
I'm not sure what the scanned string was, let me know how I can find out if you need help.
In forensic investigations, investigators may end up mounting a target device from their analyst device - can we make Trawler work in these types of situations by allowing investigators to override the target drive?
For example, a drive may be mounted as 'D:', in which case the environment variables used throughout the script ($env:homedrive, $env:ProgramData, etc) will all be incorrect targets for analysis.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.