Implement initial detection and data structures for suspicious artifacts

2025-10-10 15:35:17 -04:00
commit 10b1bb7ed6
26 changed files with 2382 additions and 0 deletions
@@ -0,0 +1,36 @@
+package directory
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"rmm-hunter/internal/pkg/hunt/detect/common"
+	"strings"
+)
+
+var appData = os.Getenv("APPDATA")
+
+func Detect() []string {
+	var suspiciousDirectories []string
+
+	fmt.Printf("[*] Enumerating Suspicious Directories \n")
+	// Check for common directories
+	for _, dir := range common.CommonDirectories {
+		dir = replaceAppData(dir)
+		if _, err := os.Stat(dir); err == nil {
+			fmt.Printf("   [?] Found %s\n", dir)
+			suspiciousDirectories = append(suspiciousDirectories, dir)
+		}
+	}
+	fmt.Printf("[+] Found %d Suspicious Directories\n", len(suspiciousDirectories))
+
+	return suspiciousDirectories
+}
+
+func replaceAppData(path string) string {
+	if strings.Contains(path, "{{APPDATA}}") {
+		p := strings.Replace(path, "{{APPDATA}}", "", -1)
+		return filepath.Join(appData, p)
+	}
+	return path
+}
@@ -0,0 +1,12 @@
+package directory
+
+import "testing"
+
+func TestDetect(t *testing.T) {
+	directories := Detect()
+	for _, dir := range directories {
+		t.Logf("-----")
+		t.Logf("Directory: %s", dir)
+		t.Logf("-----")
+	}
+}