Implement initial detection and data structures for suspicious artifacts
This commit is contained in:
Evan Hosinski
@@ -0,0 +1,54 @@
|
||||
package scheduledTasks
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"rmm-hunter/internal/pkg/hunt/detect/common"
|
||||
. "rmm-hunter/internal/suspicious"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
schTasks "github.com/Kraken-OffSec/Scurvy/core/scheduledTasks"
|
||||
)
|
||||
|
||||
func Detect() []*ScheduledTask {
|
||||
fmt.Printf("[*] Enumerating Scheduled Tasks \n")
|
||||
tasks, err := schTasks.ListTasks()
|
||||
if err != nil {
|
||||
fmt.Printf("[-] Error enumerating scheduled tasks: %s\n", err.Error())
|
||||
return []*ScheduledTask{}
|
||||
}
|
||||
fmt.Printf(" [>] Dispositioning %d Scheduled Tasks\n", len(tasks))
|
||||
|
||||
return compareTasks(tasks)
|
||||
}
|
||||
|
||||
func compareTasks(tasks []schTasks.TaskInfo) []*ScheduledTask {
|
||||
var suspiciousTasks []*ScheduledTask
|
||||
|
||||
for _, task := range tasks {
|
||||
for _, rmm := range common.CommonRMMs {
|
||||
rmmLower := strings.ToLower(rmm)
|
||||
taskNameLower := strings.ToLower(task.Name)
|
||||
if strings.Contains(taskNameLower, rmmLower) {
|
||||
fmt.Printf(" [?] Found %s\n", task.Name)
|
||||
suspiciousTasks = append(suspiciousTasks, &ScheduledTask{
|
||||
Name: task.Name,
|
||||
Author: task.Author,
|
||||
LastRun: task.LastRun.Format(time.RFC3339),
|
||||
NextRun: task.NextRun.Format(time.RFC3339),
|
||||
LastResult: task.LastResult,
|
||||
CreatedDate: task.CreationDate.Format(time.RFC3339),
|
||||
State: task.State,
|
||||
Path: task.Path,
|
||||
Description: task.Description,
|
||||
ModifiedDate: "",
|
||||
Enabled: task.Enabled,
|
||||
})
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fmt.Printf("[+] Found %d Suspicious Scheduled Tasks\n", len(suspiciousTasks))
|
||||
return suspiciousTasks
|
||||
}
|
||||
@@ -0,0 +1,22 @@
|
||||
package scheduledTasks
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestDetect(t *testing.T) {
|
||||
tasks := Detect()
|
||||
for _, task := range tasks {
|
||||
t.Logf("-----")
|
||||
t.Logf("Name: %s", task.Name)
|
||||
t.Logf("Author: %s", task.Author)
|
||||
t.Logf("LastRun: %s", task.LastRun)
|
||||
t.Logf("NextRun: %s", task.NextRun)
|
||||
t.Logf("LastResult: %s", task.LastResult)
|
||||
t.Logf("CreatedDate: %s", task.CreatedDate)
|
||||
t.Logf("State: %s", task.State)
|
||||
t.Logf("Path: %s", task.Path)
|
||||
t.Logf("Description: %s", task.Description)
|
||||
t.Logf("ModifiedDate: %s", task.ModifiedDate)
|
||||
t.Logf("Enabled: %t", task.Enabled)
|
||||
t.Logf("-----")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user