Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add aux module that can protect critical directories for CAPE analysis #946

Merged
merged 1 commit into from
Jun 21, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions analyzer/windows/analyzer.py
Original file line number Diff line number Diff line change
Expand Up @@ -469,8 +469,8 @@ def run(self):
log.debug('Trying to start auxiliary module "%s"...', module.__name__)
aux.start()
log.debug('Started auxiliary module "%s"', module.__name__)
except (NotImplementedError, AttributeError):
log.warning("Auxiliary module %s was not implemented", module.__name__)
except (NotImplementedError, AttributeError) as e:
log.warning("Auxiliary module %s was not implemented: %s", module.__name__, e)
except Exception as e:
log.warning("Cannot execute auxiliary module %s: %s", module.__name__, e)
else:
Expand Down
57 changes: 57 additions & 0 deletions analyzer/windows/modules/auxiliary/permissions.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
import logging
from subprocess import call, STARTUPINFO, STARTF_USESHOWWINDOW
from threading import Thread
from lib.common.abstracts import Auxiliary
from lib.core.config import Config

log = logging.getLogger(__name__)

__author__ = "[Canadian Centre for Cyber Security] @CybercentreCanada"


class Permissions(Auxiliary):
"""
Change permissions for injected directory and Python interpreter
to prevent malware from messing with analysis
"""

def __init__(self, options, config):
Auxiliary.__init__(self, options, config)
self.config = Config(cfg="analysis.conf")
self.enabled = self.config.file_pickup
self.do_run = self.enabled
self.startupinfo = STARTUPINFO()
self.startupinfo.dwFlags |= STARTF_USESHOWWINDOW

def start(self):
# Put locations here that you want to protect, such as the analyzer path or the Python path
locations = ["C:\\tmp*"]
log.debug("Adjusting permissions for %s", locations)
for location in locations:

# First add a non-inherited permission for Admin Read+Execute
# icacls <location> /grant:r "BUILTIN\Administrators:(OI)(CI)(RX)" "BUILTIN\\Administrators:(RX)" /t /c /q
modify_admin_params = [
"icacls",
location,
"/grant:r",
"BUILTIN\\Administrators:(OI)(CI)(RX)",
"BUILTIN\\Administrators:(RX)",
"/t",
"/c",
"/q",
]
t1 = Thread(target=call, args=(modify_admin_params,), kwargs={"startupinfo": self.startupinfo})
t1.start()
t1.join(timeout=15)
if t1.is_alive():
log.warning("'Modify admin' call was unable to complete in 15 seconds")

# Then remove all inherited permissions so that only SYSTEM has Write access
# icacls <location> /inheritancelevel:r /t /c /q
inheritance_params = ["icacls", location, "/inheritancelevel:r", "/t", "/c", "/q"]
t2 = Thread(target=call, args=(inheritance_params,), kwargs={"startupinfo": self.startupinfo})
t2.start()
t2.join(timeout=15)
if t2.is_alive():
log.warning("'Inheritance' call was unable to complete in 15 seconds")
1 change: 1 addition & 0 deletions conf/auxiliary.conf
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ sysmon = no
tlsdump = yes
usage = no
filepickup = no
permissions = no

[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
Expand Down