Exemple #1
0
        private IEnumerable <IShare> GetShares()
        {
            var coll = new ShareCollector();

            this.eventBus.Trigger <IShareCollector>(coll);

            return(coll.Shares);
        }
Exemple #2
0
        /// <summary>
        /// Search for the NetWalker Readme file in a file list not on local share
        /// </summary>
        /// <see cref="ListReadme(List{string})"/>
        /// <see cref="ListReadmeOnShares(List{string})"/>
        /// <param name="files"></param>
        /// <returns>Summarize of Readme found</returns>
        public static List <string> ListReadmeNotOnShares(List <string> files)
        {
            Logger.Console("Filter detected files not on shares");
            List <string> readme = new List <string>();
            List <string> shares = ShareCollector.GetShares();

            foreach (string file in files)
            {
                foreach (string share in shares)
                {
                    if (!file.ToLower().StartsWith(share.ToLower() + "\\"))
                    {
                        AddIfReadme(readme, file);
                    }
                }
            }

            readme.Sort();
            Logger.WriteFile(readme);
            return(readme);
        }
Exemple #3
0
        /// <summary>
        /// The entry point of the analyser
        /// </summary>
        /// <param name="args">Command line args</param>
        static void Main(string[] args)
        {
            Logger.ResultDir = "C:\\NWA-(" + HostDataCollector.GetHostname() + ")-Result-" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss");
            Directory.CreateDirectory(Logger.ResultDir);

            Logger.Console("Running on " + (HostDataCollector.GetHostname()));

            if (HostDataCollector.IsAdministrator())
            {
                Logger.Console("Running as Administrator, continue");
            }
            else
            {
                Logger.Console("Not running as Administrator, abort !");
                Console.ReadLine();
                System.Environment.Exit(1);
            }


            Logger.Console("Mounted drives:");
            foreach (string l in FileSystemAnalyser.GetDisks())
            {
                Logger.Console(" - " + l);
            }
            Logger.WriteFile("Drives", FileSystemAnalyser.GetDisks());

            Logger.Console("Shares:");
            foreach (string s in ShareCollector.GetShares())
            {
                Logger.Console(" - " + s);
            }
            Logger.WriteFile("Shares", ShareCollector.GetShares());

            List <string> files           = FileSystemAnalyser.Scan();
            List <string> allReadme       = FileSystemAnalyser.ListReadme(files);
            List <string> sharesReadme    = FileSystemAnalyser.ListReadmeOnShares(files);
            List <string> notSharesReadme = FileSystemAnalyser.ListReadmeNotOnShares(files);
            bool          exePresent      = FileSystemAnalyser.HasSuspiciousExe(files);

            if (allReadme.Count > 0)
            {
                Logger.Console("!!!!! Readme file detected, this machine is compromised !!!!!");
            }

            List <string> users = UserAccountCollector.GetUsers();

            if (users.Contains("adfs"))
            {
                Logger.Console("!!!!! adfs account detected, this machine may be compromised !!!!!");
            }

            Logger.WriteFile("Malicious-Present", exePresent ? "True" : "False");

            // don4t remove the ADFS direcotry
            //UserAccountCollector.RemoveUser("adfs");
            // This is unused by our variant of NetWalker
            //RegistryAnalyser.Scan();


            Logger.WriteFile("ADFS-Present", UserAccountCollector.HasAdfs() ? "True" : "False");

            if (allReadme.Count > 0 || exePresent)
            {
                ResultDisplayer.Locked();
                Logger.Console("Readme found: " + allReadme.Count);
                Logger.Console("Readme found on drives: " + notSharesReadme.Count);
                Logger.Console("Readme found on shares: " + sharesReadme.Count);
                Logger.Console("Malicious EXE present: " + (exePresent ? "Yes" : "No"));
                Console.WriteLine();
            }
            else if (UserAccountCollector.HasAdfs())
            {
                ResultDisplayer.Unclean();
                Logger.Console("ADFS account detected");
                Console.WriteLine();
            }
            else
            {
                ResultDisplayer.Clean();
            }

            Console.WriteLine("Press Enter to quit...");
            Console.ReadLine();
        }