private void psexecChanged(object sender, FileSystemEventArgs e)
{
//73802 = Possible Meterpreter
//15872 = Possible Psexec
try
{
FileInfo f = new FileInfo(e.FullPath);
string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
string detect = "";
if (f.Length == 73802 && f.Name.Contains(".exe"))
{
detect = "Likely Meterpreter Executable";
w.write(date, e.FullPath, detect);
}
else if (f.Length == 15872 && f.Name.Contains(".exe"))
{
detect = "Likely PSExec Executable";
w.write(date, e.FullPath, detect);
}
}
catch (Exception)
{
return;
}
}
public void t_Elapsed(object sender, ElapsedEventArgs e, Process p, string date)
{
Timer t = (Timer)sender;
t.Stop();
if (p.ProcessName == "java")
{
if (Utilities.scanProcess(p))
{
if (AntiPwny.PreventionMode)
{
builder.Clear();
builder.Append(p.ProcessName);
builder.Append(" Killed.");
p.Kill();
w.write(date, builder.ToString(), "Java Meterpreter");
}
else
{
builder.Clear();
builder.Append(p.ProcessName);
builder.Append(" memory contains java meterpreter signature.");
w.write(date, builder.ToString(), "Java Meterpreter Found");
}
}
}
if (Utilities.scanProcess(p))
{
if (AntiPwny.PreventionMode)
{
builder.Clear();
builder.Append(p.ProcessName);
builder.Append(" Killed.");
p.Kill();
w.write(date, builder.ToString(), "Meterpreter");
}
else
{
builder.Clear();
builder.Append(p.ProcessName);
builder.Append(" memory contains meterpreter signature.");
w.write(date, builder.ToString(), "Meterpreter Found");
}
}
}
private void serviceEvent(object sender, EventArrivedEventArgs e)
{
RegistryKey key = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
List <string> keys = new List <string>();
foreach (string s in key.GetSubKeyNames())
{
RegistryKey temp = key.OpenSubKey(s);
string path = temp.GetValue("ImagePath") as string;
keys.Add(s);
if (!serviceReg.ContainsKey(s))
{
serviceReg.Add(s, path);
string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
if (path.Contains("cscript") && path.Contains(".vbs"))
{
builder.Clear();
builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
builder.Append(s);
builder.Append(" - ");
builder.Append(path);
w.write(date, builder.ToString(), "Meterpreter Persistence Service");
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKLM\\System\\CurrentControlSet\\services";
evt.KeyName = s;
evt.Detection = "Persistence";
evt.KeyType = "Service";
evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
addRegistry(this, evt);
}
else if (path.Contains("metsvc"))
{
builder.Clear();
builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
builder.Append(s);
builder.Append(" - ");
builder.Append(path);
w.write(date, builder.ToString(), "Metsvc Registry Entry");
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKLM\\System\\CurrentControlSet\\services";
evt.KeyName = s;
evt.Detection = "Metsvc";
evt.KeyType = "Service";
evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
addRegistry(this, evt);
}
}
}
List <string> toremove = new List <string>();
foreach (string s in serviceReg.Keys)
{
if (!keys.Contains(s))
{
toremove.Add(s);
}
}
foreach (string s in toremove)
{
serviceReg.Remove(s);
removedEntry(this, s);
}
}
/// <summary>
/// Called Every time a new Event Log entry is written
/// </summary>
/// <param name="source"></param>
/// <param name="e"></param>
public void entryWritten(object source, EntryWrittenEventArgs e)
{
EventLogEntry entry = e.Entry;
string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
if (entry.EntryType.ToString() == "SuccessAudit")
{
//Successful Logon
if (entry.InstanceId == 4624)
{
Match logonType = Regex.Match(entry.Message, @"Logon Type:(.*)");
if (logonType.Success)
{
int type = Convert.ToInt32(logonType.Groups[1].Value);
if (type == 10)
{
Match m = Regex.Match(entry.Message, @"Source Network Address:(.*)");
if (m.Success)
{
string key = m.Groups[1].Value;
key = key.Replace(" ", string.Empty);
key = key.Replace("\t", string.Empty);
key = key.Replace("\r", string.Empty);
key = key.Replace("\n", string.Empty);
if (!key.Contains("-"))
{
w.write(date, "RDP Logon from " + key, "Remote RDP Logon");
}
}
}
}
}
else if (entry.InstanceId == 4724)
{
//Password Change
Match target = Regex.Match(entry.Message, @"Account Name:(.*)");
if (target.Success)
{
target = target.NextMatch();
string key = target.Groups[1].Value;
key = key.Replace(" ", string.Empty);
key = key.Replace("\t", string.Empty);
key = key.Replace("\n", string.Empty);
w.write(date, "Password was changed for " + key, "Password Change");
}
}
else if (entry.InstanceId == 4722)
{
//User Created
string user;
string domain;
string creator;
user = Regex.Match(entry.Message, @"Account Name:(.*)").NextMatch().Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);
domain = Regex.Match(entry.Message, @"Account Domain:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);
creator = Regex.Match(entry.Message, @"Account Name:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);
builder.Clear();
builder.Append("User ");
builder.Append(user);
builder.Append(" in domain ");
builder.Append(domain);
builder.Append(" created by ");
builder.Append(creator);
w.write(date, builder.ToString(), "User Created");
}
else if (entry.InstanceId == 4726)
{
//User Deleted
string user;
string domain;
string creator;
user = Regex.Match(entry.Message, @"Account Name:(.*)").NextMatch().Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);
domain = Regex.Match(entry.Message, @"Account Domain:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);
creator = Regex.Match(entry.Message, @"Account Name:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);
builder.Clear();
builder.Append("User ");
builder.Append(user);
builder.Append(" in domain ");
builder.Append(domain);
builder.Append(" deleted by ");
builder.Append(creator);
w.write(date, builder.ToString(), "User Deleted");
}
else if (entry.InstanceId == 7035)
{
//Service Installed (Needs to be implemented)
}
else if (entry.InstanceId == 4634)
{
//PSExec Logoff
Match logonType = Regex.Match(entry.Message, @"Logon Type:(.*)");
if (logonType.Success)
{
int type = Convert.ToInt32(logonType.Groups[1].Value);
if (type == 3)
{
Match m = Regex.Match(entry.Message, @"Source Network Address:(.*)");
Match user = Regex.Match(entry.Message, @"Account Name:(.*)");
if (!user.Groups[1].Value.Contains("ANONYMOUS LOGON"))
{
if (m.Success)
{
string key = m.Groups[1].Value;
key = key.Replace(" ", string.Empty);
key = key.Replace("\t", string.Empty);
key = key.Replace("\r", string.Empty);
key = key.Replace("\n", string.Empty);
if (!key.Contains("-"))
{
w.write(date, "PSExec Logon from " + key, "PSExec Logon");
}
}
}
}
}
}
}
}
