write() 공개 메소드

public write ( string input ) : void
input string
리턴 void
예제 #1
0
        private void psexecChanged(object sender, FileSystemEventArgs e)
        {
            //73802 = Possible Meterpreter
            //15872 = Possible Psexec
            try
            {
                FileInfo f = new FileInfo(e.FullPath);

                string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();

                string detect = "";
                if (f.Length == 73802 && f.Name.Contains(".exe"))
                {
                    detect = "Likely Meterpreter Executable";
                    w.write(date, e.FullPath, detect);
                }
                else if (f.Length == 15872 && f.Name.Contains(".exe"))
                {
                    detect = "Likely PSExec Executable";
                    w.write(date, e.FullPath, detect);
                }
            }
            catch (Exception)
            {
                return;
            }
        }
예제 #2
0
        public void t_Elapsed(object sender, ElapsedEventArgs e, Process p, string date)
        {
            Timer t = (Timer)sender;

            t.Stop();

            if (p.ProcessName == "java")
            {
                if (Utilities.scanProcess(p))
                {
                    if (AntiPwny.PreventionMode)
                    {
                        builder.Clear();
                        builder.Append(p.ProcessName);
                        builder.Append(" Killed.");
                        p.Kill();

                        w.write(date, builder.ToString(), "Java Meterpreter");
                    }
                    else
                    {
                        builder.Clear();
                        builder.Append(p.ProcessName);
                        builder.Append(" memory contains java meterpreter signature.");

                        w.write(date, builder.ToString(), "Java Meterpreter Found");
                    }
                }
            }
            if (Utilities.scanProcess(p))
            {
                if (AntiPwny.PreventionMode)
                {
                    builder.Clear();
                    builder.Append(p.ProcessName);
                    builder.Append(" Killed.");
                    p.Kill();

                    w.write(date, builder.ToString(), "Meterpreter");
                }
                else
                {
                    builder.Clear();
                    builder.Append(p.ProcessName);
                    builder.Append(" memory contains meterpreter signature.");

                    w.write(date, builder.ToString(), "Meterpreter Found");
                }
            }
        }
예제 #3
0
        private void serviceEvent(object sender, EventArrivedEventArgs e)
        {
            RegistryKey   key  = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
            List <string> keys = new List <string>();

            foreach (string s in key.GetSubKeyNames())
            {
                RegistryKey temp = key.OpenSubKey(s);
                string      path = temp.GetValue("ImagePath") as string;
                keys.Add(s);
                if (!serviceReg.ContainsKey(s))
                {
                    serviceReg.Add(s, path);
                    string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
                    if (path.Contains("cscript") && path.Contains(".vbs"))
                    {
                        builder.Clear();
                        builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
                        builder.Append(s);
                        builder.Append(" - ");
                        builder.Append(path);

                        w.write(date, builder.ToString(), "Meterpreter Persistence Service");
                        RegistryKeyObject evt = new RegistryKeyObject();
                        evt.Key       = "HKLM\\System\\CurrentControlSet\\services";
                        evt.KeyName   = s;
                        evt.Detection = "Persistence";
                        evt.KeyType   = "Service";
                        evt.Path      = "HKLM\\System\\CurrentControlSet\\services\\" + s;
                        addRegistry(this, evt);
                    }
                    else if (path.Contains("metsvc"))
                    {
                        builder.Clear();
                        builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
                        builder.Append(s);
                        builder.Append(" - ");
                        builder.Append(path);

                        w.write(date, builder.ToString(), "Metsvc Registry Entry");

                        RegistryKeyObject evt = new RegistryKeyObject();
                        evt.Key       = "HKLM\\System\\CurrentControlSet\\services";
                        evt.KeyName   = s;
                        evt.Detection = "Metsvc";
                        evt.KeyType   = "Service";
                        evt.Path      = "HKLM\\System\\CurrentControlSet\\services\\" + s;
                        addRegistry(this, evt);
                    }
                }
            }

            List <string> toremove = new List <string>();

            foreach (string s in serviceReg.Keys)
            {
                if (!keys.Contains(s))
                {
                    toremove.Add(s);
                }
            }

            foreach (string s in toremove)
            {
                serviceReg.Remove(s);
                removedEntry(this, s);
            }
        }
예제 #4
0
        /// <summary>
        /// Called Every time a new Event Log entry is written
        /// </summary>
        /// <param name="source"></param>
        /// <param name="e"></param>
        public void entryWritten(object source, EntryWrittenEventArgs e)
        {
            EventLogEntry entry = e.Entry;

            string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();

            if (entry.EntryType.ToString() == "SuccessAudit")
            {
                //Successful Logon
                if (entry.InstanceId == 4624)
                {
                    Match logonType = Regex.Match(entry.Message, @"Logon Type:(.*)");

                    if (logonType.Success)
                    {
                        int type = Convert.ToInt32(logonType.Groups[1].Value);
                        if (type == 10)
                        {
                            Match m = Regex.Match(entry.Message, @"Source Network Address:(.*)");

                            if (m.Success)
                            {
                                string key = m.Groups[1].Value;
                                key = key.Replace(" ", string.Empty);
                                key = key.Replace("\t", string.Empty);
                                key = key.Replace("\r", string.Empty);
                                key = key.Replace("\n", string.Empty);
                                if (!key.Contains("-"))
                                {
                                    w.write(date, "RDP Logon from " + key, "Remote RDP Logon");
                                }
                            }
                        }
                    }
                }
                else if (entry.InstanceId == 4724)
                {
                    //Password Change
                    Match target = Regex.Match(entry.Message, @"Account Name:(.*)");

                    if (target.Success)
                    {
                        target = target.NextMatch();
                        string key = target.Groups[1].Value;
                        key = key.Replace(" ", string.Empty);
                        key = key.Replace("\t", string.Empty);
                        key = key.Replace("\n", string.Empty);

                        w.write(date, "Password was changed for " + key, "Password Change");
                    }
                }
                else if (entry.InstanceId == 4722)
                {
                    //User Created
                    string user;
                    string domain;
                    string creator;

                    user    = Regex.Match(entry.Message, @"Account Name:(.*)").NextMatch().Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);
                    domain  = Regex.Match(entry.Message, @"Account Domain:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);
                    creator = Regex.Match(entry.Message, @"Account Name:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);

                    builder.Clear();

                    builder.Append("User ");
                    builder.Append(user);
                    builder.Append(" in domain ");
                    builder.Append(domain);
                    builder.Append(" created by ");
                    builder.Append(creator);

                    w.write(date, builder.ToString(), "User Created");
                }
                else if (entry.InstanceId == 4726)
                {
                    //User Deleted
                    string user;
                    string domain;
                    string creator;

                    user    = Regex.Match(entry.Message, @"Account Name:(.*)").NextMatch().Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);
                    domain  = Regex.Match(entry.Message, @"Account Domain:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);
                    creator = Regex.Match(entry.Message, @"Account Name:(.*)").Groups[1].Value.Replace(" ", string.Empty).Replace("\t", string.Empty);

                    builder.Clear();

                    builder.Append("User ");
                    builder.Append(user);
                    builder.Append(" in domain ");
                    builder.Append(domain);
                    builder.Append(" deleted by ");
                    builder.Append(creator);

                    w.write(date, builder.ToString(), "User Deleted");
                }
                else if (entry.InstanceId == 7035)
                {
                    //Service Installed (Needs to be implemented)
                }
                else if (entry.InstanceId == 4634)
                {
                    //PSExec Logoff
                    Match logonType = Regex.Match(entry.Message, @"Logon Type:(.*)");

                    if (logonType.Success)
                    {
                        int type = Convert.ToInt32(logonType.Groups[1].Value);
                        if (type == 3)
                        {
                            Match m    = Regex.Match(entry.Message, @"Source Network Address:(.*)");
                            Match user = Regex.Match(entry.Message, @"Account Name:(.*)");
                            if (!user.Groups[1].Value.Contains("ANONYMOUS LOGON"))
                            {
                                if (m.Success)
                                {
                                    string key = m.Groups[1].Value;
                                    key = key.Replace(" ", string.Empty);
                                    key = key.Replace("\t", string.Empty);
                                    key = key.Replace("\r", string.Empty);
                                    key = key.Replace("\n", string.Empty);
                                    if (!key.Contains("-"))
                                    {
                                        w.write(date, "PSExec Logon from " + key, "PSExec Logon");
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }