Giter Club home page Giter Club logo

coathanger's Introduction

COATHANGER FortiGate IOC Checker

This repository contains:

  1. Indicators of Compromise (IOCs) from the MIVD & AIVD advisory on the COATHANGER malware.
  2. The coathanger.py script which checks for the presence of these IOCs on a FortiGate disk image using the Dissect framework.

The following checks are currently implemented in coathanger.py:

  • Known malicious file locations as provided in the advisory
  • YARA rules as provided in the advisory
  • Binaries with differing modification timestamps
  • Non-standard hidden folders in /data and /data2

Warning

Please read the following carefully before taking action on your FortiGate device(s):

  • This script only implements a subset of the detection methods described in the advisory. It should therefore only be used as an addition to the methods described in the advisory.
  • This script should be run on a forensic disk image of a FortiGate system and not on the FortiGate device itself.
  • This script is by no means the full replacement of a proper forensic investigation. It is possible the script leads to false negatives or false positives. Please use your own judgement before making any decisions based on the output of this tool.

Installation and Usage

Use the following steps to install the COATHANGER IOC Checker:

  1. git clone https://github.com/JSCU-NL/COATHANGER.git
  2. cd COATHANGER/
  3. python3 -m venv venv && . venv/bin/activate
  4. pip install -r requirements.txt

You can now run python coathanger.py <TARGET> to start an IOC check against your disk image(s).

$ python coathanger.py /path/to/disk.img
  ____ ___    _  _____ _   _    _    _   _  ____ _____ ____  
 / ___/ _ \  / \|_   _| | | |  / \  | \ | |/ ___| ____|  _ \ 
| |  | | | |/ _ \ | | | |_| | / _ \ |  \| | |  _|  _| | |_) |
| |__| |_| / ___ \| | |  _  |/ ___ \| |\  | |_| | |___|  _ < 
 \____\___/_/   \_\_| |_| |_/_/   \_\_| \_|\____|_____|_| \_\


COATHANGER FortiGate IOC Checker
https://github.com/JSCU-NL/COATHANGER


2024-02-06T13:37:01.000000Z [info     ] Scanning target /path/to/disk.img
2024-02-06T13:37:02.000000Z [info     ] Searching for suspicious files
2024-02-06T13:37:03.000000Z [info     ] Scanning using YARA rules
2024-02-06T13:37:04.000000Z [info     ] Searching for non-standard hidden directories
2024-02-06T13:37:05.000000Z [info     ] Searching for deviating file modification times
2024-02-06T13:37:06.000000Z [warning  ] Found 7 COATHANGER indicators of compromise on system /path/to/disk.img

Confidence    Type    Alert                  Source
------------  ------  ---------------------  -------------------------
high          file    Suspicious file found  /data2/.bd.key/httpsd
high          file    Suspicious file found  /data2/.bd.key/newcli
high          file    Suspicious file found  /data2/.bd.key
high          file    Suspicious file found  /data2/.bd.key/preload.so
high          file    Suspicious file found  /data2/.bd.key/sh
high          file    Suspicious file found  /data2/.bd.key/authd
high          file    Suspicious file found  /etc/ld.so.preload

coathanger's People

Contributors

jscu-cni avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.