private void psexecChanged(object sender, FileSystemEventArgs e) { //73802 = Possible Meterpreter //15872 = Possible Psexec try { FileInfo f = new FileInfo(e.FullPath); string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString(); string detect = ""; if (f.Length == 73802 && f.Name.Contains(".exe")) { detect = "Likely Meterpreter Executable"; w.write(date, e.FullPath, detect); } else if (f.Length == 15872 && f.Name.Contains(".exe")) { detect = "Likely PSExec Executable"; w.write(date, e.FullPath, detect); } } catch (Exception) { return; } }
public void t_Elapsed(object sender, ElapsedEventArgs e, Process p, string date) { Timer t = (Timer)sender; t.Stop(); if (p.ProcessName == "java") { if (Utilities.scanProcess(p)) { if (AntiPwny.PreventionMode) { builder.Clear(); builder.Append(p.ProcessName); builder.Append(" Killed."); p.Kill(); w.write(date, builder.ToString(), "Java Meterpreter"); } else { builder.Clear(); builder.Append(p.ProcessName); builder.Append(" memory contains java meterpreter signature."); w.write(date, builder.ToString(), "Java Meterpreter Found"); } } } if (Utilities.scanProcess(p)) { if (AntiPwny.PreventionMode) { builder.Clear(); builder.Append(p.ProcessName); builder.Append(" Killed."); p.Kill(); w.write(date, builder.ToString(), "Meterpreter"); } else { builder.Clear(); builder.Append(p.ProcessName); builder.Append(" memory contains meterpreter signature."); w.write(date, builder.ToString(), "Meterpreter Found"); } } }
private void serviceEvent(object sender, EventArrivedEventArgs e) { RegistryKey key = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services"); List <string> keys = new List <string>(); foreach (string s in key.GetSubKeyNames()) { RegistryKey temp = key.OpenSubKey(s); string path = temp.GetValue("ImagePath") as string; keys.Add(s); if (!serviceReg.ContainsKey(s)) { serviceReg.Add(s, path); string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString(); if (path.Contains("cscript") && path.Contains(".vbs")) { builder.Clear(); builder.Append("HKLM\\System\\CurrentControlSet\\services\\"); builder.Append(s); builder.Append(" - "); builder.Append(path); w.write(date, builder.ToString(), "Meterpreter Persistence Service"); RegistryKeyObject evt = new RegistryKeyObject(); evt.Key = "HKLM\\System\\CurrentControlSet\\services"; evt.KeyName = s; evt.Detection = "Persistence"; evt.KeyType = "Service"; evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s; addRegistry(this, evt); } else if (path.Contains("metsvc")) { builder.Clear(); builder.Append("HKLM\\System\\CurrentControlSet\\services\\"); builder.Append(s); builder.Append(" - "); builder.Append(path); w.write(date, builder.ToString(), "Metsvc Registry Entry"); RegistryKeyObject evt = new RegistryKeyObject(); evt.Key = "HKLM\\System\\CurrentControlSet\\services"; evt.KeyName = s; evt.Detection = "Metsvc"; evt.KeyType = "Service"; evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s; addRegistry(this, evt); } } } List <string> toremove = new List <string>(); foreach (string s in serviceReg.Keys) { if (!keys.Contains(s)) { toremove.Add(s); } } foreach (string s in toremove) { serviceReg.Remove(s); removedEntry(this, s); } }
/// <summary> /// Called Every time a new Event Log entry is written /// </summary> /// <param name="source"></param> /// <param name="e"></param> public void entryWritten(object source, EntryWrittenEventArgs e) { EventLogEntry entry = e.Entry; string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString(); if (entry.EntryType.ToString() == "SuccessAudit") { //Successful Logon if (entry.InstanceId == 4624) { Match logonType = Regex.Match(entry.Message, @"Logon Type:(.*)"); if (logonType.Success) { int type = Convert.ToInt32(logonType.Groups[1].Value); if (type == 10) { Match m = Regex.Match(entry.Message, @"Source Network Address:(.*)"); if (m.Success) { string key = m.Groups[1].Value; key = key.Replace(" ", string.Empty); key = key.Replace("\t", string.Empty); key = key.Replace("\r", string.Empty); key = key.Replace("\n", string.Empty); if (!key.Contains("-")) { w.write(date, "RDP Logon from " + key, "Remote RDP Logon"); } } } } } else if (entry.InstanceId == 4724) { //Password Change Match target = Regex.Match(entry.Message, @"Account Name:(.*)"); if (target.Success) { target = target.NextMatch(); string key = target.Groups[1].Value; key = key.Replace(" ", string.Empty); key = key.Replace("\t", string.Empty); key = key.Replace("\n", string.Empty); w.write(date, "Password was changed for " + key, "Password Change"); } } else if (entry.InstanceId == 4722) { //User Created string user; string domain; string creator; user = Regex.Match(entry.Message, @"Account Name:(.*)").NextMatch().Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty); domain = Regex.Match(entry.Message, @"Account Domain:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty); creator = Regex.Match(entry.Message, @"Account Name:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty); builder.Clear(); builder.Append("User "); builder.Append(user); builder.Append(" in domain "); builder.Append(domain); builder.Append(" created by "); builder.Append(creator); w.write(date, builder.ToString(), "User Created"); } else if (entry.InstanceId == 4726) { //User Deleted string user; string domain; string creator; user = Regex.Match(entry.Message, @"Account Name:(.*)").NextMatch().Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty); domain = Regex.Match(entry.Message, @"Account Domain:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty); creator = Regex.Match(entry.Message, @"Account Name:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty); builder.Clear(); builder.Append("User "); builder.Append(user); builder.Append(" in domain "); builder.Append(domain); builder.Append(" deleted by "); builder.Append(creator); w.write(date, builder.ToString(), "User Deleted"); } else if (entry.InstanceId == 7035) { //Service Installed (Needs to be implemented) } else if (entry.InstanceId == 4634) { //PSExec Logoff Match logonType = Regex.Match(entry.Message, @"Logon Type:(.*)"); if (logonType.Success) { int type = Convert.ToInt32(logonType.Groups[1].Value); if (type == 3) { Match m = Regex.Match(entry.Message, @"Source Network Address:(.*)"); Match user = Regex.Match(entry.Message, @"Account Name:(.*)"); if (!user.Groups[1].Value.Contains("ANONYMOUS LOGON")) { if (m.Success) { string key = m.Groups[1].Value; key = key.Replace(" ", string.Empty); key = key.Replace("\t", string.Empty); key = key.Replace("\r", string.Empty); key = key.Replace("\n", string.Empty); if (!key.Contains("-")) { w.write(date, "PSExec Logon from " + key, "PSExec Logon"); } } } } } } } }