Implement initial detection and data structures for suspicious artifacts
This commit is contained in:
Evan Hosinski
@@ -0,0 +1,75 @@
|
||||
package processes
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"rmm-hunter/internal/pkg/hunt/detect/common"
|
||||
. "rmm-hunter/internal/suspicious"
|
||||
"strings"
|
||||
|
||||
"github.com/Kraken-OffSec/Scurvy/core/process"
|
||||
)
|
||||
|
||||
func Detect() []Process {
|
||||
fmt.Printf("[*] Enumerating Processes \n")
|
||||
|
||||
processes, err := process.Processes()
|
||||
if err != nil {
|
||||
fmt.Printf("[-] Error enumerating processes: %s\n", err.Error())
|
||||
return []Process{}
|
||||
}
|
||||
|
||||
fmt.Printf(" [>] Dispositioning %d Processes\n", len(processes))
|
||||
|
||||
return compareProcesses(processes)
|
||||
}
|
||||
|
||||
func compareProcesses(processes []process.Process) []Process {
|
||||
var suspiciousProcesses []Process
|
||||
|
||||
for _, proc := range processes {
|
||||
procName := proc.Executable()
|
||||
procNameLower := strings.ToLower(procName)
|
||||
|
||||
// Get full executable path if available
|
||||
var fullPath string
|
||||
if proc.Path() != "" {
|
||||
fullPath = proc.Path()
|
||||
}
|
||||
|
||||
// Check against known RMMs
|
||||
isRMMMatch := false
|
||||
for _, rmm := range common.CommonRMMs {
|
||||
rmmLower := strings.ToLower(rmm)
|
||||
if strings.Contains(procNameLower, rmmLower) {
|
||||
isRMMMatch = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
// Check for suspicious path
|
||||
isPathSuspicious := false
|
||||
pathReason := ""
|
||||
if fullPath != "" {
|
||||
isPathSuspicious, pathReason = common.AnalyzeExecutablePath(fullPath)
|
||||
}
|
||||
|
||||
if isRMMMatch || isPathSuspicious {
|
||||
args := ""
|
||||
if isPathSuspicious {
|
||||
args = fmt.Sprintf("[%s]", pathReason)
|
||||
}
|
||||
|
||||
fmt.Printf(" [?] Found %s\n", procName)
|
||||
suspiciousProcesses = append(suspiciousProcesses, Process{
|
||||
Name: procName,
|
||||
PID: proc.Pid(),
|
||||
PPID: proc.PPid(),
|
||||
Path: fullPath,
|
||||
Args: args,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
fmt.Printf("[+] Found %d Suspicious Processes\n", len(suspiciousProcesses))
|
||||
return suspiciousProcesses
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
package processes
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestDetect(t *testing.T) {
|
||||
processes := Detect()
|
||||
for _, proc := range processes {
|
||||
t.Logf("-----")
|
||||
t.Logf("Name: %s", proc.Name)
|
||||
t.Logf("PID: %d", proc.PID)
|
||||
t.Logf("PPID: %d", proc.PPID)
|
||||
t.Logf("Path: %s", proc.Path)
|
||||
t.Logf("-----")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user