Skip to content

Commit

Permalink
Merge branch 'EricZimmerman:master' into master
Browse files Browse the repository at this point in the history
  • Loading branch information
@vxsh4d0w
vxsh4d0w authored May 20, 2024
2 parents 9492fc0 + fae63f2 commit baba209
Show file tree
Hide file tree
Showing 6 changed files with 115 additions and 4 deletions.
24 changes: 24 additions & 0 deletions Modules/Apps/GitHub/PowerShell_AD_Timeline.mkape
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
Description: ADTimeline.ps1 - The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest.
Category: GitHub
Author: Tristan PINCEAUX - CERT CWATCH - ALMOND
Version: 1.0
Id: 6666cc62-821f-4b13-b13a-03c768b40f71
BinaryUrl: https://raw.githubusercontent.com/ANSSI-FR/ADTimeline/master/ADTimeline.ps1
ExportFormat: csv
Processors:
-
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: "-ep bypass & '%kapeDirectory%\\Modules\\bin\\ADTimeline.ps1'; Move-Item timeline_*.csv -Destination %destinationDirectory%; Move-Item logfile_*.log -Destination %destinationDirectory%; Move-Item ADobjects_*.xml -Destination %destinationDirectory%; Move-Item gcADobjects_*.xml -Destination %destinationDirectory% "
ExportFormat: csv

# Documentation
# ADtimeline is a PowerShell script created by the ANSSI (French Cybersecurity Agency).
# You can use the output of this script to determine persistance, sensitives accounts, suspicious activities...
# You need to run this script on a live domain controller.
# This script will generate four files:
# - timeline_%DOMAINFQDN%.csv: The timeline generated with the AD replication metadata of objects retrieved.
# - logfile_%DOMAINFQDN%.log: Script log file. You will also find various information on the domain.
# - ADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via LDAP.
# - gcADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via the Global Catalog.
# https:/ANSSI-FR/ADTimeline
# https://www.first.org/resources/papers/amsterdam2019/AD_Timeline_FIRST_TC.pdf
46 changes: 46 additions & 0 deletions Targets/Apps/QlikSense.tkape
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
Description: Qlik Sense
Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND
Version: 1.0
Id: 6e979be3-4913-4d16-a508-cc3284194c2b
RecreateDirectories: true
Targets:
-
Name: Qlik Sense Logs
Category: Software
Path: C:\ProgramData\Qlik\Sense\Log\Proxy
Recursive: true
FileMask: '*.txt'
Comment: "Collects the proxy logs for Qlik Sense"

-
Name: Qlik Sense Logs
Category: Software
Path: C:\ProgramData\Qlik\Sense\Log\Proxy
Recursive: true
FileMask: '*.log'
Comment: "Collects the proxy logs for Qlik Sense"

-
Name: Qlik Sense Logs
Category: Software
Path: C:\ProgramData\Qlik\Sense\Log\Scheduler
Recursive: true
FileMask: '*.txt'
Comment: "Collects the scheduler logs for Qlik Sense"
-
Name: Qlik Sense Logs
Category: Software
Path: C:\ProgramData\Qlik\Sense\Log\Scheduler
Recursive: true
FileMask: '*.log'
Comment: "Collects the scheduler logs for Qlik Sense"

# Documentation
# Qlik Sense is a powerful business intelligence solution that enables users to visualize and analyze complex data.
# We have seen three vulnerabilities (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) exploited on exposed Qlik solution in a recent Cactus Ransomware Campaign:
# https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/
# https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/
# https://www.shadowserver.org/what-we-do/network-reporting/critical-vulnerable-compromised-qlik-sense-special-report/
# You can find details on the full exploit here:
# https://www.praetorian.com/blog/qlik-sense-technical-exploit/
# https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/
10 changes: 6 additions & 4 deletions Targets/Apps/SupremoRemoteDesktop.tkape
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Description: Supremo Remote Desktop Control Logs
Author: Sandro Heckendorn
Version: 1.0
Author: epoxigen
Version: 1.1
Id: 0d88cf87-bbc5-4bcf-bb4f-2bc9a3e300f0
RecreateDirectories: true
Targets:
Expand All @@ -14,11 +14,13 @@ Targets:
Name: Supremo File Transfer Inbox
Category: Communications
Path: C:\ProgramData\SupremoRemoteDesktop\Inbox
Comment: "Includes all files transferred to the inbox folder during a remote session"
Comment: "Includes files transferred to the inbox folder during a remote session. See Supremo.00.FileTransfer.log"

# Documentation
# https://www.supremocontrol.com/
# Supremo Remote Desktop is a Remote Access Tool similar to TeamViewer.
# Supremo.00.Incoming.log is logging the incoming remote sessions.
# Supremo.00.ReportsQueue.log is logging device related information of remote sessions.
# Supremo.00.Client.log is logging application events such as program start/exit and the client-server-connections to the Supremo servers.
# The Inbox is the destination folder for incoming transferred files and may contain evidence of malware when the software is misused for scams and other shenanigans.
# Supremo.00.FileTransfer.log is logging file transfers between remote sessions.
# Keep in mind: Files can be transferred to any location on the remote client, not only into the Inbox folder.
29 changes: 29 additions & 0 deletions Targets/Apps/UEMS.tkape
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
Description: UEMS Manage Engine Agent
Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND
Version: 1.0
Id: 3ff43bb0-ac44-4374-ac4e-dbe104d81b60
RecreateDirectories: true
Targets:
-
Name: Unified endpoint management and security solutions from ManageEngine
Category: RMM Tool
Path: C:\Program Files (x86)\ManageEngine\UEMS_Agent\logs
Recursive: true
FileMask: '*.log'
Comment: "Collects all logs for UEMS"

-
Name: Unified endpoint management and security solutions from ManageEngine
Category: RMM Tool
Path: C:\Users\%user%\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs
Recursive: true
FileMask: '*.log'
Comment: "Collects User logs for UEMS"

# Documentation
# https://www.manageengine.com/unified-endpoint-management-security.html
# UEMS Manage Engine Agent is a remote access tool in the ManageEngine suite.
# We have observed this tool being deployed in a recent Cactus ransomware Campaign:
# https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/
# https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/
# https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/
6 changes: 6 additions & 0 deletions Targets/Browsers/Chrome.tkape
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,12 @@ Targets:
Path: C:\Users\%user%\AppData\Roaming\Microsoft\Protect\*\
Recursive: true
Comment: "Required for offline decryption"
-
Name: Chrome Snapshots Folder
Category: Communications
Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\Snapshots\*\
Recursive: true
Comment: "Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #."

# Documentation
# https://nasbench.medium.com/web-browsers-forensics-7e99940c579a
Expand Down
4 changes: 4 additions & 0 deletions Targets/Compound/RemoteAdmin.tkape
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,10 @@ Targets:
Name: TeamViewer
Category: ApplicationLogs
Path: TeamViewerLogs.tkape
-
Name: UEMS
Category: ApplicationLogs
Path: UEMS.tkape
-
Name: UltraViewer
Category: ApplicationLogs
Expand Down

0 comments on commit baba209

Please sign in to comment.