Termux ID: Yara -->

    Social Items

Home / Yara

Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask.

Capabilities

ps
  • View full process list
  • Inspect process memory map & fetch memory strings easly
  • Dump process memory in one click
  • Automaticly search hash in public services

users
  • users list

find
  • Search for suspicious files by name/regex

netstat
  • Whois

logs
  • syslog
  • auth.log(user authentication log)
  • ufw.log(firewall log)
  • bash history

anti-rootkit
  • chkrootkit

yara
  • Scan a file or directory using YARA signatures by @Neo23x0
  • Scan a running process memory address space
  • Upload your own YARA signature

Requirements
  • Python 2.7
  • YARA
  • chkrootkit

Installation
  1. Clone repository
git clone https://github.com/intezer/linux_expl0rer
  1. Install required packages
pip install -r requirements.txt
  1. Setup VT/OTX api keys
nano config.py
Edit following lines:
VT_APIKEY = '<key>'
OTX_APIKEY = '<key>'
  1. Install YARA
sudo apt-get install yara
  1. Install chkrootkit
sudo apt-get install chkrootkit

Start Linux Expl0rer server
sudo python linux_explorer.py

Usage
  1. Start your browser
firefox http://127.0.0.1:8080
  1. do stuff

Notes


    Linux Expl0rer - Easy-To-Use Live Forensics Toolbox For Linux Endpoints


    Amber is a proof of concept packer, it can pack regularly compiled PE files into reflective PE files that can be used as multi stage infection payloads. If you want to learn the packing methodology used inside the Amber check out below.

    PS: This is not a complete tool some things may break so take it easy on the issues and feel free to contribute.

    Developed By Ege Balcı from INVICTUS/PRODAFT.

    INSTALLATION
    sudo chmod +x Setup.sh
    sudo ./Setup.sh

    USAGE
     //   █████╗ ███╗   ███╗██████╗ ███████╗██████╗ 
     //  ██╔══██╗████╗ ████║██╔══██╗██╔════╝██╔══██╗
     //  ███████║██╔████╔██║██████╔╝█████╗  ██████╔╝
     //  ██╔══██║██║╚██╔╝██║██╔══██╗██╔══╝  ██╔══██╗
     //  ██║  ██║██║ ╚═╝ ██║██████╔╝███████╗██║  ██║
     //  ╚═╝  ╚═╝╚═╝     ╚═╝╚═════╝ ╚══════╝╚═╝  ╚═╝
     //  POC Reflective PE Packer                                             

     # Version: 1.0.0
     # Source: github.com/egebalci/Amber


     USAGE: 
       amber file.exe [options]


     OPTIONS:
       
       -k, --key       [string]        Custom cipher key
       -ks,--keysize   <length>        Size of the encryption key in bytes (Max:100/Min:4)
       --staged                        Generated a staged payload
       --iat                           Uses import address table entries instead of hash api
       --no-resource                   Don't add any resource
       -v, --verbose                   Verbose output mode
       -h, --help                      Show this massage

     EXAMPLE:
       (Default settings if no option parameter passed)
       amber file.exe -ks 8

     Fileless ransomware deployment with powershell


    Multi Stage EXE deployment with metasploit stagers

    DETECTION
    Current detection rate (19.10.2017) of the POC packer is pretty satisfying but since this is going to be a public project current detection score will rise inevitably :)
    When no extra parameters passed (only the file name) packer generates a multi stage payload and performs an basic XOR cipher with a multi byte random key then compiles it into a EXE file with adding few extra anti detection functions. Generated EXE file executes the stage payload like a regular shellcode after deciphering the payload and making the required environmental checks. This particular sample is the mimikats.exe (sha256 - 9369b34df04a2795de083401dda4201a2da2784d1384a6ada2d773b3a81f8dad) file packed with a 12 byte XOR key (./amber mimikats.exe -ks 12).  The detection rate of the mimikats.exe file before packing is 51/66 on VirusTotal. In this particular example packer uses the default way to find the windows API addresses witch is using the hash API, avoiding the usage of hash API will decrease the detection rate. Currently packer supports the usage of fixed addresses of  IAT offsets also next versions will include IAT parser shellcodes for more alternative API address finding methods.

     VirusTotal (5/65)

     VirusCheckmate (0/36)

    NoDistribute (0/36)


    Amber - POC Reflective PE Packer

    Subscribe to: Posts (Atom)