Evan Hosinski
76 lines
1.7 KiB
Go
76 lines
1.7 KiB
Go
package processes
|
|
|
|
import (
|
|
"fmt"
|
|
"rmm-hunter/internal/pkg/hunt/detect/common"
|
|
. "rmm-hunter/internal/suspicious"
|
|
"strings"
|
|
|
|
"github.com/Kraken-OffSec/Scurvy/core/process"
|
|
)
|
|
|
|
func Detect() []Process {
|
|
fmt.Printf("[*] Enumerating Processes \n")
|
|
|
|
processes, err := process.Processes()
|
|
if err != nil {
|
|
fmt.Printf("[-] Error enumerating processes: %s\n", err.Error())
|
|
return []Process{}
|
|
}
|
|
|
|
fmt.Printf(" [>] Dispositioning %d Processes\n", len(processes))
|
|
|
|
return compareProcesses(processes)
|
|
}
|
|
|
|
func compareProcesses(processes []process.Process) []Process {
|
|
var suspiciousProcesses []Process
|
|
|
|
for _, proc := range processes {
|
|
procName := proc.Executable()
|
|
procNameLower := strings.ToLower(procName)
|
|
|
|
// Get full executable path if available
|
|
var fullPath string
|
|
if proc.Path() != "" {
|
|
fullPath = proc.Path()
|
|
}
|
|
|
|
// Check against known RMMs
|
|
isRMMMatch := false
|
|
for _, rmm := range common.CommonRMMs {
|
|
rmmLower := strings.ToLower(rmm)
|
|
if strings.Contains(procNameLower, rmmLower) {
|
|
isRMMMatch = true
|
|
break
|
|
}
|
|
}
|
|
|
|
// Check for suspicious path
|
|
isPathSuspicious := false
|
|
pathReason := ""
|
|
if fullPath != "" {
|
|
isPathSuspicious, pathReason = common.AnalyzeExecutablePath(fullPath)
|
|
}
|
|
|
|
if isRMMMatch || isPathSuspicious {
|
|
args := ""
|
|
if isPathSuspicious {
|
|
args = fmt.Sprintf("[%s]", pathReason)
|
|
}
|
|
|
|
fmt.Printf(" [?] Found %s\n", procName)
|
|
suspiciousProcesses = append(suspiciousProcesses, Process{
|
|
Name: procName,
|
|
PID: proc.Pid(),
|
|
PPID: proc.PPid(),
|
|
Path: fullPath,
|
|
Args: args,
|
|
})
|
|
}
|
|
}
|
|
|
|
fmt.Printf("[+] Found %d Suspicious Processes\n", len(suspiciousProcesses))
|
|
return suspiciousProcesses
|
|
}
|